[00:17.620 --> 00:22.820]  Good evening, Red Team Village. My name is Adam Pennington, and tonight I'm going to
[00:22.820 --> 00:26.900]  be talking about emulating an adversary with imperfect intelligence.
[00:28.720 --> 00:34.380]  So before I get into content, I wanted to start off with a little bit about who am I.
[00:35.160 --> 00:41.440]  So I'm the lead of a project called MITRE ATT&CK. I'm guessing some of you are probably familiar with it.
[00:41.440 --> 00:45.000]  Several of the other talks in the Red Team Village have been leveraging it.
[00:45.280 --> 00:51.400]  I've been with MITRE for about 12 years now. If you're not familiar with MITRE, we're a not-for-profit
[00:51.400 --> 00:56.680]  who primarily runs federally funded research and development centers for the federal government,
[00:56.680 --> 01:03.300]  and does work in the public interest in things similar to ATT&CK that we're putting out there for people to use.
[01:03.300 --> 01:08.780]  My principal focus is around threat intelligence and deception, but I've been working with
[01:08.780 --> 01:15.000]  adversary emulation teams for years on looking at what sorts of intelligence they're pulling together,
[01:15.000 --> 01:19.380]  and how well the profiles they're building up look like real adversaries.
[01:19.740 --> 01:26.160]  Most of my time today is spent on MITRE ATT&CK, but I've been an operational defender,
[01:26.160 --> 01:31.820]  as well as a cyber threat intelligence analyst. I've spent time in multiple security operations centers.
[01:32.620 --> 01:38.500]  I've been a part of ATT&CK for quite a while, so I've been around since it was a spreadsheet with no ampersand.
[01:38.960 --> 01:45.500]  ATT&CK originally was an Excel spreadsheet, and I helped gather a lot of the intelligence that we use
[01:45.500 --> 01:50.760]  to create ATT&CK in the first place. I was at MITRE, I was at Carnegie Mellon for 11 years
[01:50.760 --> 01:57.140]  trying to collect all the degrees. I'm also a scuba diver. I'm certified for technical diving,
[01:57.140 --> 02:02.640]  so decompression, rebreather diving. And I've spent time as a professional live sound engineer,
[02:02.640 --> 02:08.740]  which might explain some of my taste in home audio equipment. I've been around DEF CON for quite a while.
[02:08.740 --> 02:12.260]  Obviously, first one through home, like all the rest of you.
[02:14.240 --> 02:20.740]  Some of the key points I wanted to get to today. So I'm going to be looking at a very intelligence-focused
[02:20.740 --> 02:27.640]  approach to adversary emulation. I want to start off by setting the stage in adversary emulation,
[02:27.640 --> 02:34.900]  getting into the definition I'm using. Now, I'm not expecting that people here haven't heard of adversary emulation.
[02:34.940 --> 02:39.540]  I really just want to make sure that we're on the same page using the same definition,
[02:39.540 --> 02:44.780]  because adversary emulation is something that I've seen mean different things to different people.
[02:44.780 --> 02:51.080]  I'm going to talk about gathering and extracting the intelligence necessary to do adversary emulation.
[02:51.080 --> 02:56.760]  Where do we find it? How do we pull it together? And I'm going to talk about some of the flaws in that intel.
[02:56.760 --> 03:02.520]  So what's wrong with it? How do we recognize some of those imperfections? And then how do we deal with it?
[03:02.520 --> 03:08.860]  How do we find the gaps in our intel, fill them in, and leverage those to create a complete plan
[03:08.860 --> 03:16.300]  that we can use to actually emulate an adversary? So I said I was going to start with the definition.
[03:16.500 --> 03:21.460]  This is the definition of adversary emulation that I'm using for the rest of this talk.
[03:22.080 --> 03:27.100]  Adversary emulation is a type of red team engagement that mimics a known threat to an organization
[03:27.100 --> 03:33.060]  by leveraging threat intelligence to influence what actions and behaviors the red team does.
[03:33.060 --> 03:40.460]  Pretty straightforward. Leveraging threat intel, trying to use that to influence what we're going to do.
[03:41.640 --> 03:46.920]  So what's different? The big one is that it's driven by threat intelligence.
[03:46.920 --> 03:50.360]  So it's driven by how the adversary actually looks.
[03:51.100 --> 03:56.980]  There's a good chance we're going to use that threat intelligence to scope things more than we might in a normal engagement.
[03:56.980 --> 03:59.880]  So we want things to look like an actual threat.
[03:59.880 --> 04:06.520]  And so there are things we might not do and take out of our playbooks in order to stick to that.
[04:07.500 --> 04:13.820]  There's a good chance it follows a constructed scenario in order to stick to what a real adversary looks like.
[04:13.820 --> 04:21.780]  We might ahead of time create the set of activities, the set of behaviors that we plan to do so that we can keep to that.
[04:22.640 --> 04:30.460]  And the hope with all of this is that we're getting some idea of how our defenses might fare against a given adversary.
[04:30.600 --> 04:34.240]  It's still not the real threat. It's still not going to be the same.
[04:34.240 --> 04:38.960]  But we're hoping to get close enough to start to get some ideas.
[04:40.300 --> 04:44.600]  So there's a bunch of new challenges that emulation brings in around intelligence.
[04:44.800 --> 04:48.660]  And I'm going to be covering several of these in my talk tonight.
[04:49.480 --> 04:53.300]  The first and most basic one, the need for intelligence in the first place.
[04:53.320 --> 04:56.860]  So needing to know what an adversary looks like.
[04:57.660 --> 05:03.340]  We might not have enough intelligence out there on an adversary that's in a form we can use.
[05:03.340 --> 05:11.360]  It might not describe the sorts of activities that we need as an adversary emulation team to go out and look like the adversary.
[05:12.360 --> 05:16.960]  The adversary we want to emulate, there may just not be enough intel on.
[05:16.960 --> 05:18.680]  We may not know about them.
[05:18.800 --> 05:23.460]  And so we might need to fill in the picture a little bit more to be able to really emulate them.
[05:24.260 --> 05:27.280]  And finally, you know, we're pulling all this intel.
[05:27.300 --> 05:30.780]  We need to be able to turn it into a workable scenario.
[05:32.320 --> 05:41.300]  So my team has an adversary emulation process that we've used in several other places in presentations, as well as documents.
[05:41.300 --> 05:48.000]  But it originally comes from a presentation a few years ago by then ATT&CK team members, Katie Nichols and Cody Thomas.
[05:48.740 --> 05:53.620]  And the process we work from is to first gather threat intelligence.
[05:53.620 --> 06:02.240]  So figure out who your adversaries are and start to pull in all the information you can find on the adversary you picked to emulate.
[06:03.840 --> 06:06.120]  Extract techniques from that intelligence.
[06:06.120 --> 06:14.960]  So start to look at what the behaviors are in that intelligence, so that we can pull them together into a plan to be able to look like those behaviors.
[06:17.240 --> 06:19.560]  Analyze and organize that intelligence.
[06:19.900 --> 06:30.540]  So taking those behaviors, looking at what's there, what isn't there, filling in any gaps, and then pulling that together into a plan we can actually use.
[06:31.320 --> 06:32.920]  Develop tools.
[06:33.280 --> 06:38.640]  So we need malware utilities and other things to be able to operate with.
[06:38.980 --> 06:41.940]  And then finally, do the emulation.
[06:44.590 --> 06:52.750]  So I'm a threat intel guy. I'm going to cover the most threat intel focused pieces of this process.
[06:52.750 --> 06:57.530]  And so what I'm going to focus on today is the first three steps in this process.
[06:59.770 --> 07:03.270]  So start with the first step, gather threat intelligence.
[07:03.870 --> 07:10.250]  So we're going to need to choose an adversary and then pull in information that we can find about them.
[07:10.590 --> 07:14.870]  So before we can start gathering data, we need to identify the adversary.
[07:15.350 --> 07:26.950]  I'll cover two ways to do this in looking at gaps that we're hoping to assess in our environment and considering who is targeting us in the first place.
[07:26.950 --> 07:32.110]  I'll then go through a couple of processes for gathering data on that adversary.
[07:32.330 --> 07:40.330]  So pulling in information on things that they do after they break into environments, that's likely to be most of the space of our engagement.
[07:40.830 --> 07:46.590]  And beyond behaviors, there are some things to think about beyond just what techniques they do.
[07:46.610 --> 07:52.010]  So what tools are adversaries using? What other groups are associated with them?
[07:52.010 --> 07:56.690]  So what other names might we have that are describing some of the same activity?
[07:56.950 --> 08:00.030]  As well as an adversary's campaigns.
[08:00.250 --> 08:07.830]  So a series of intrusions that are happening in a time period that are attributed to the same actor.
[08:08.350 --> 08:11.630]  And on top of all this, we probably want to think about the timeframe.
[08:11.870 --> 08:17.790]  Some of the actors we might want to emulate might have been in this business a very long time.
[08:17.790 --> 08:24.710]  So I'll be using an actor later, who is thought to have been around since at least 2004.
[08:24.710 --> 08:30.010]  What they looked like in 2004 is probably a little bit different than what they look like today.
[08:33.220 --> 08:43.820]  So there are a lot of ways that you can find lists of adversaries, you know, information on starting points for who it is you want to emulate.
[08:44.320 --> 08:49.520]  I've got my biases, I'm going to leverage attack, but you don't have to.
[08:49.520 --> 08:55.260]  But a decent number of red teams we have seen using it for adversary emulation.
[08:55.260 --> 08:58.500]  So some other options instead of attack.
[08:58.560 --> 09:07.500]  If you have an internal threat intelligence team that is tracking on groups that are, you know, hitting your own organization,
[09:07.500 --> 09:10.920]  that might be your best source of threat intelligence.
[09:10.920 --> 09:15.340]  So they know about the threats that matter most to your organization.
[09:15.460 --> 09:21.420]  They may have the best picture of the techniques that are really relevant to you.
[09:21.420 --> 09:24.260]  So that could be a really good place to start.
[09:24.260 --> 09:30.580]  There are people that might be able to sell this information to you.
[09:30.580 --> 09:35.020]  So there are commercial threat intelligence providers where, you know, for a fee,
[09:35.020 --> 09:39.240]  you can get information on different adversaries you might be interested in.
[09:39.960 --> 09:42.480]  Or you can go to the same well that we do.
[09:42.480 --> 09:47.500]  So everything that we're pulling into attack is coming from open source threat intelligence reporting.
[09:47.880 --> 09:51.560]  And so you can go out and look at some of the same sorts of reports we do ourselves.
[09:52.940 --> 09:55.700]  Because I'm going to be using ATT&CK for the rest of this talk,
[09:55.700 --> 10:02.260]  I'm just going to quickly get into a few of the specific aspects of it that I'm going to be leveraging here.
[10:02.340 --> 10:07.220]  So I'm not going to get into, you know, the defensive use cases, things like that.
[10:07.360 --> 10:13.080]  Just sort of the basics of the framework structure and then the groups information that we're going to be pulling from it.
[10:14.640 --> 10:17.980]  So I think probably a lot of you have already heard of ATT&CK.
[10:17.980 --> 10:22.230]  But at its core, ATT&CK is a knowledge base of adversary behaviors.
[10:22.580 --> 10:28.640]  It's like an encyclopedia of things that real actors have been seen to do in the wild.
[10:28.740 --> 10:36.080]  So not just things a red team has done, not just theoretical, but it's actual adversary behaviors.
[10:36.300 --> 10:40.440]  It's freely available. Everything I'm going to be talking about today,
[10:40.440 --> 10:44.500]  every resource I'm using is out there for free.
[10:44.500 --> 10:47.280]  And if it's code is open source.
[10:48.140 --> 10:50.440]  So let's talk about structural here.
[10:50.440 --> 10:54.980]  This is the view most people use of ATT&CK. It's what we call the matrix.
[10:56.260 --> 11:01.260]  It's a layout of different activities that adversaries do.
[11:01.300 --> 11:06.020]  The way it's organized is across the top here, we have what we call tactics.
[11:06.120 --> 11:08.760]  These are the adversary's broad technical goals.
[11:08.760 --> 11:11.260]  So it's something like initial access.
[11:11.640 --> 11:17.140]  The adversary is trying to get into my network or exfiltration.
[11:17.140 --> 11:20.680]  The adversary is sending stuff that they've stolen out of my environment.
[11:20.680 --> 11:25.620]  Or something a little different like impact, where an adversary is trying to cause destruction
[11:25.620 --> 11:29.200]  or disruption to systems or my environment.
[11:30.020 --> 11:34.180]  Under each of these tactics, we have what we call techniques.
[11:34.280 --> 11:37.860]  And those are how the technical goals are achieved.
[11:38.400 --> 11:41.260]  And these are sort of the basic unit of ATT&CK.
[11:41.260 --> 11:43.500]  I've seen a bunch of techniques.
[11:43.500 --> 11:48.020]  So Cirio was just using several technique IDs in her talk.
[11:48.280 --> 11:52.320]  And so these are getting down to more specific ways.
[11:52.320 --> 11:55.200]  So instead of initial access, we now have something like phishing.
[11:55.200 --> 11:57.960]  The adversary is sending a malicious email.
[11:58.500 --> 12:01.120]  That's kind of an exciting talk for me,
[12:01.120 --> 12:05.000]  because this is the first time I've given a talk in years
[12:05.000 --> 12:08.480]  that I've been able to fit the matrix on a single slide.
[12:08.540 --> 12:12.420]  So we recently did a fairly big refactoring of ATT&CK
[12:12.420 --> 12:15.180]  and going from just tactics and techniques
[12:15.180 --> 12:19.080]  to tactics, techniques, and sub-techniques.
[12:19.080 --> 12:23.720]  So there's now another layer of abstraction under a lot of the techniques.
[12:24.640 --> 12:27.660]  Sub-techniques are just more specific techniques.
[12:27.660 --> 12:31.020]  So instead of phishing, we have something like spear phishing attachment
[12:31.020 --> 12:33.000]  or spear phishing link.
[12:33.000 --> 12:35.600]  So it's, again, getting more specific.
[12:35.780 --> 12:40.820]  These sub-techniques have all the same properties behind them as techniques.
[12:40.820 --> 12:44.620]  They have all the same mitigations, detections, everything else.
[12:44.640 --> 12:48.780]  It's just a deeper level of specificity, and they have a parent technique.
[12:50.060 --> 12:54.340]  Finally, getting all the way down to detail, we've got procedures.
[12:54.460 --> 12:59.340]  These are specific adversary implementations of techniques and sub-techniques.
[12:59.820 --> 13:01.460]  So instead of spear phishing attachment,
[13:01.460 --> 13:03.700]  we might have the APT12 that sent emails
[13:03.700 --> 13:07.200]  with malicious office documents and PDFs attached.
[13:08.400 --> 13:12.060]  Okay, our goal was to find out stuff about groups.
[13:12.360 --> 13:15.440]  Something else that ATT&CK has is profiles
[13:15.860 --> 13:19.400]  on a number of different threat actors, over 100 of them.
[13:20.240 --> 13:22.560]  This is what a group page looks like.
[13:22.560 --> 13:26.480]  We've got a brief text description of the group itself,
[13:26.480 --> 13:29.060]  some metadata associated with it.
[13:29.060 --> 13:32.500]  We have what we call associated group descriptions.
[13:33.340 --> 13:35.900]  Different companies, different threat intelligence providers
[13:36.440 --> 13:41.760]  use different names to describe the same or closely related groups.
[13:43.040 --> 13:44.220]  And this is natural.
[13:44.220 --> 13:47.160]  These organizations have their own definitions of these groups
[13:47.160 --> 13:49.080]  that may not be quite the same.
[13:49.080 --> 13:50.960]  That's one of the reasons we call it associated groups
[13:50.960 --> 13:53.900]  instead of what we used to call it, which is aliases.
[13:55.440 --> 13:57.620]  We keep track of what techniques are used.
[13:57.620 --> 14:01.180]  So we've taken open source threat intelligence reporting,
[14:01.180 --> 14:03.800]  gone through, and figured out what those reports say
[14:03.800 --> 14:05.340]  that the adversary has been doing.
[14:07.700 --> 14:10.980]  Similar to our groups pages, we also have software pages.
[14:11.220 --> 14:15.780]  Those keep track of different pieces of software
[14:15.780 --> 14:17.860]  the adversary is using, everything from utilities
[14:17.860 --> 14:20.020]  to things that they've custom written,
[14:20.680 --> 14:22.640]  as well as all of the techniques
[14:22.640 --> 14:26.840]  that that particular piece of software is able to do.
[14:27.460 --> 14:29.600]  And finally, there's references for all of it.
[14:29.600 --> 14:31.240]  You can go back, you can check our work,
[14:31.240 --> 14:33.040]  you can see the original references,
[14:33.520 --> 14:35.880]  and make sure that you believe what we say about it.
[14:35.900 --> 14:43.130]  People use ATT&CK for a lot of different things.
[14:43.130 --> 14:45.830]  I'm only touching on adversary emulation tonight.
[14:46.250 --> 14:48.970]  It's kind of a good use case for ATT&CK, though.
[14:48.970 --> 14:52.210]  So it turns out that adversary emulation
[14:52.210 --> 14:54.970]  is what ATT&CK was created for in the first place.
[14:56.970 --> 14:59.150]  The reason we originally created ATT&CK
[14:59.150 --> 15:01.750]  was that we had a red team
[15:02.270 --> 15:06.030]  who wanted to look like some specific actors,
[15:06.030 --> 15:08.750]  wanted to create playbooks, create plans,
[15:09.550 --> 15:11.490]  operate, and then wanted to be able
[15:11.490 --> 15:12.810]  to compare notes with the blue team
[15:12.810 --> 15:14.850]  and see if they saw the same things
[15:14.850 --> 15:16.570]  that the adversary had done.
[15:18.050 --> 15:19.010]  Okay.
[15:20.570 --> 15:22.770]  So if I want to actually start
[15:22.770 --> 15:25.470]  to pick out an actor from all this set,
[15:25.470 --> 15:27.070]  you've got 100 actors.
[15:27.150 --> 15:31.070]  So we can start by looking at how specific actors
[15:31.070 --> 15:32.510]  align with some of the gaps
[15:32.510 --> 15:34.950]  that we think we might have in our defenses.
[15:36.010 --> 15:38.650]  So this is coming from APT28.
[15:39.850 --> 15:41.510]  Everything in blue here
[15:42.690 --> 15:45.370]  is techniques that we've identified
[15:45.370 --> 15:48.890]  from multiple open-source threat intelligence reports.
[15:48.890 --> 15:51.330]  It's not using any commercial or government reporting.
[15:51.330 --> 15:54.010]  It's just things that you also have access to.
[15:54.230 --> 15:55.990]  I'm going to be showing a bunch of diagrams
[15:55.990 --> 15:57.430]  that look like this.
[15:57.430 --> 15:59.850]  This is basically the same matrix layout
[15:59.850 --> 16:02.450]  I showed in the introduction a second ago.
[16:02.450 --> 16:04.210]  I do have a number of the sub-techniques
[16:04.210 --> 16:07.510]  expanded out to show a bit more of the detail.
[16:08.310 --> 16:10.730]  But you're probably not going to be able to read the labels
[16:10.730 --> 16:13.350]  at least over on Twitch or YouTube.
[16:14.010 --> 16:15.870]  But all these diagrams I'm creating
[16:15.870 --> 16:17.290]  are using ATT&CK Navigator,
[16:17.290 --> 16:19.350]  which is an open-source tool we provided.
[16:19.590 --> 16:22.250]  That's a URL to actually work with it yourself.
[16:22.250 --> 16:24.030]  And I'll release the slides for this
[16:24.030 --> 16:25.190]  right after the talk
[16:25.190 --> 16:28.630]  and work on getting the navigator layers out I'm using.
[16:29.430 --> 16:30.890]  So if we're looking at the techniques
[16:30.890 --> 16:33.970]  that APT28 has used,
[16:34.330 --> 16:36.170]  we can then compare that with
[16:37.510 --> 16:39.170]  our own defenses.
[16:39.170 --> 16:43.330]  So if we take the same ATT&CK Navigator,
[16:43.330 --> 16:45.390]  we lay out where we think
[16:45.390 --> 16:46.930]  that our defenses can catch
[16:46.930 --> 16:48.690]  or not catch an adversary.
[16:48.690 --> 16:51.210]  So what's in red here is notional gaps
[16:51.210 --> 16:53.670]  in the defenses for an organization.
[16:53.670 --> 16:57.710]  So what I think that I can't detect today.
[16:58.450 --> 16:59.110]  Okay?
[16:59.210 --> 17:02.130]  So if I take that adversary,
[17:02.130 --> 17:04.170]  I add the gaps to it,
[17:04.170 --> 17:05.710]  I can then create something
[17:05.710 --> 17:07.730]  that looks like this.
[17:08.090 --> 17:13.310]  So I now have the APT28 in blue,
[17:13.310 --> 17:15.010]  our gaps in red,
[17:15.010 --> 17:17.630]  and the green here is, you know,
[17:17.630 --> 17:19.890]  where we think we might have gaps.
[17:20.010 --> 17:22.050]  So again, without the slides,
[17:22.050 --> 17:23.210]  probably not going to be able to see
[17:23.210 --> 17:25.370]  which individual techniques are highlighted.
[17:25.390 --> 17:26.810]  But we can see, you know,
[17:26.810 --> 17:29.370]  maybe APT28 isn't the best match for us.
[17:29.370 --> 17:32.570]  You know, they've only got maybe 10 techniques
[17:32.570 --> 17:35.010]  that overlap with things that we think are gaps.
[17:35.010 --> 17:36.290]  So, okay.
[17:36.450 --> 17:38.350]  What else can we look for?
[17:40.250 --> 17:41.990]  We can also look at adversaries
[17:41.990 --> 17:43.490]  who are targeting us.
[17:43.490 --> 17:45.550]  So especially if we've got our own internal
[17:45.550 --> 17:48.130]  threat intelligence team to help us,
[17:48.610 --> 17:51.510]  they may be able to help us prioritize here
[17:51.510 --> 17:53.470]  because hopefully they know
[17:53.930 --> 17:56.410]  who it is who's been coming after us.
[17:56.530 --> 17:58.330]  And again, there's a couple different ways
[17:58.330 --> 18:00.950]  that we can prioritize based on this.
[18:03.310 --> 18:04.850]  So we can start with an adversary
[18:04.850 --> 18:06.570]  who targets us regularly.
[18:06.890 --> 18:09.250]  Now, maybe we've got some actor
[18:09.850 --> 18:12.650]  who the first Monday of every month,
[18:12.650 --> 18:15.390]  like clockwork, sends us a spearfish.
[18:16.630 --> 18:18.910]  You know, maybe they're not the best.
[18:18.910 --> 18:20.430]  We don't, you know, maybe that we think
[18:20.430 --> 18:22.650]  that our defenses are pretty good about them,
[18:22.650 --> 18:24.830]  but they may be of a lot of interest to us
[18:24.830 --> 18:27.650]  just because they're trying so regularly.
[18:27.650 --> 18:30.470]  They're definitely a persistent threat.
[18:31.830 --> 18:32.890]  We can look at adversaries
[18:32.890 --> 18:34.630]  who have targeted others like us.
[18:34.850 --> 18:35.890]  If we've got some actor
[18:35.890 --> 18:37.750]  who's tried to break into
[18:37.750 --> 18:39.790]  every other peer in our industry
[18:40.790 --> 18:43.470]  and has succeeded in places,
[18:43.470 --> 18:45.050]  well, we're probably somewhere
[18:45.050 --> 18:46.290]  on their priority list.
[18:46.290 --> 18:48.690]  We're in their priority intelligence requirements
[18:48.690 --> 18:51.630]  for who they should be breaking into.
[18:51.810 --> 18:52.810]  So we might want to understand
[18:52.810 --> 18:55.890]  how it is that we might face against them.
[18:56.510 --> 18:57.850]  Finally, you might want to pick
[18:57.850 --> 19:00.850]  an adversary who doesn't target us very much
[19:00.850 --> 19:03.310]  or we've never actually seen,
[19:03.310 --> 19:05.830]  but they might, but has a high skill level.
[19:05.830 --> 19:08.210]  You know, the actor who keeps us up at night
[19:08.210 --> 19:12.110]  because we think that if they came after us,
[19:12.110 --> 19:13.690]  they'd probably succeed.
[19:13.690 --> 19:15.870]  You know, they've got the high skill set.
[19:16.930 --> 19:18.690]  So the adversary I'm leveraging today
[19:18.690 --> 19:19.930]  for a lot of organizations
[19:19.930 --> 19:22.650]  probably more fits into this last group.
[19:23.190 --> 19:25.830]  The keep you up at night adversary.
[19:27.310 --> 19:29.010]  So the adversary I'm going to leverage
[19:29.010 --> 19:31.610]  for the rest of this talk is Turla.
[19:32.730 --> 19:37.090]  Turla has been attributed to Russian state activity.
[19:37.630 --> 19:39.790]  They've been around for quite a while.
[19:39.790 --> 19:43.010]  They've been seen since at least 2004.
[19:43.570 --> 19:45.010]  I kind of like this group
[19:45.010 --> 19:46.270]  and that they're cross-platform
[19:46.270 --> 19:49.590]  so they don't just stick to Windows systems,
[19:49.590 --> 19:52.830]  but they've been known to go after macOS and Linux.
[19:53.190 --> 19:55.010]  And they use some interesting techniques
[19:55.010 --> 19:58.050]  that we don't see a lot of actors use.
[19:58.530 --> 20:00.690]  And so everything in ATT&CK has been seen somewhere
[20:00.690 --> 20:03.150]  by some actor, but there are techniques
[20:03.150 --> 20:05.610]  that there are really only, you know,
[20:05.750 --> 20:07.290]  a certain number of high-end adversaries
[20:07.290 --> 20:08.810]  that are getting into them.
[20:10.750 --> 20:12.690]  So we've picked our actor.
[20:13.190 --> 20:15.650]  It's time to start gathering data on them.
[20:15.650 --> 20:20.110]  So if I'm not using ATT&CK as my data source,
[20:20.110 --> 20:21.670]  I'm going to want to probably go out there
[20:21.670 --> 20:23.290]  and start gathering intel.
[20:23.510 --> 20:25.550]  And so, you know, I can start looking
[20:25.550 --> 20:27.870]  through open source publicly available
[20:27.870 --> 20:29.530]  threat intelligence reports.
[20:29.530 --> 20:32.770]  There are quite a lot of them out there these days.
[20:32.770 --> 20:34.870]  There really weren't that many when ATT&CK started,
[20:34.870 --> 20:37.870]  but we do have quite a wealth out there
[20:37.870 --> 20:40.130]  of reporting now.
[20:41.110 --> 20:43.650]  Or I can leverage the version
[20:43.650 --> 20:46.470]  of a lot of these techniques that's in ATT&CK.
[20:46.590 --> 20:50.270]  So we're going through some of these exact same reports,
[20:50.270 --> 20:52.730]  trying to find what behaviors and techniques
[20:52.730 --> 20:55.230]  are in there, and then we're putting out
[20:55.230 --> 20:57.450]  that same information in ATT&CK.
[20:57.450 --> 20:59.510]  So it's information you already have access to
[20:59.530 --> 21:02.770]  just in a digested form.
[21:05.030 --> 21:07.110]  So we've got this intel.
[21:07.110 --> 21:11.150]  If we're going from our own sources,
[21:11.150 --> 21:14.090]  if we're bringing in open source threat intelligence
[21:14.090 --> 21:16.810]  reporting ourselves, we're going to need to go
[21:16.810 --> 21:20.290]  through a process of extracting techniques.
[21:20.670 --> 21:23.490]  Internally, we tend to call this mapping.
[21:23.630 --> 21:26.130]  So the quick process that you're going to go through
[21:26.130 --> 21:28.950]  in these reports is something along the lines
[21:28.950 --> 21:32.970]  of first finding the behaviors in the report.
[21:32.970 --> 21:36.150]  So figuring out what is it that are activities
[21:36.150 --> 21:38.650]  that the adversary did, the things that we're going
[21:38.650 --> 21:41.730]  to want to later be doing ourselves.
[21:42.450 --> 21:44.130]  Figure out the tactics.
[21:44.130 --> 21:46.070]  So it takes a little bit of experience
[21:46.070 --> 21:47.890]  in understanding what you're reading
[21:47.890 --> 21:49.490]  with adversary behavior.
[21:49.730 --> 21:51.290]  But what is the adversary's goal
[21:51.290 --> 21:53.670]  for each of those behaviors?
[21:54.650 --> 21:56.150]  Move down to more specifics.
[21:56.150 --> 21:58.610]  Move down those columns of ATT&CK.
[21:58.950 --> 22:01.910]  Go from the tactic to a technique,
[22:01.910 --> 22:05.770]  or even better, all the way down into a sub-technique.
[22:06.630 --> 22:08.530]  And I recommend doing this as a team.
[22:08.530 --> 22:10.170]  You know, everyone has their own biases
[22:10.170 --> 22:12.830]  and preconceptions in how they read intel,
[22:12.830 --> 22:15.190]  something I'll talk about a bit more in a minute.
[22:15.410 --> 22:17.870]  But comparing notes can be super effective
[22:17.870 --> 22:22.030]  for canceling out different issues you might have.
[22:22.550 --> 22:24.270]  So I'm only going to be briefly talking
[22:24.270 --> 22:25.950]  about how to do this, but my friend
[22:25.950 --> 22:27.850]  and former ATT&CK teammate Katie Nichols
[22:28.950 --> 22:30.210]  released training earlier this year
[22:30.210 --> 22:32.970]  on how to do this mapping in much more detail.
[22:33.430 --> 22:36.010]  The URL for it is available in the slides.
[22:36.010 --> 22:38.070]  Again, I'll release the slides later.
[22:38.290 --> 22:39.550]  And it's completely free.
[22:39.550 --> 22:41.910]  The videos for it are up on YouTube.
[22:44.980 --> 22:48.700]  So this process of mapping ATT&CK techniques.
[22:48.760 --> 22:50.340]  You know, this little snippet of reporting
[22:50.340 --> 22:52.600]  has quite a few of them in it
[22:52.600 --> 22:54.800]  in the way that we would interpret
[22:54.800 --> 22:57.640]  an open-source threat intelligence report.
[22:57.640 --> 23:00.020]  So first we're going through,
[23:00.020 --> 23:02.680]  we're identifying each of the behaviors.
[23:02.680 --> 23:04.720]  There's the highlighted in yellow bits
[23:04.720 --> 23:07.080]  where they're either describing something
[23:07.080 --> 23:08.840]  an adversary did or, you know,
[23:08.840 --> 23:10.910]  they're using a tool where it's relatively clear
[23:11.360 --> 23:14.960]  what the behavior is that they're using it for.
[23:15.840 --> 23:17.760]  We're going through, we're getting down
[23:17.760 --> 23:20.620]  into tactics and getting down into techniques.
[23:20.620 --> 23:22.120]  So instead of create batch scripts,
[23:22.120 --> 23:23.700]  we're interpreting that into ATT&CK
[23:23.700 --> 23:28.200]  for our Windows command shell, T10-59-003.
[23:28.560 --> 23:30.600]  Instead of Windows run key,
[23:30.600 --> 23:33.540]  we now have registry run keys, startup folder.
[23:33.540 --> 23:36.340]  So T15-74-001.
[23:36.440 --> 23:38.660]  And we're just going through the entire document,
[23:38.660 --> 23:41.200]  repeating this process over and over again,
[23:41.200 --> 23:44.460]  and pulling out the full set of techniques
[23:44.460 --> 23:46.200]  that we're able to find.
[23:49.300 --> 23:52.680]  So once you've pulled out all those techniques,
[23:52.680 --> 23:54.840]  you need to structure your intel.
[23:54.840 --> 23:58.760]  And so I'm, you know, again, using the ATT&CK Navigator.
[23:58.920 --> 24:02.000]  This is the full set of Turla techniques
[24:02.580 --> 24:04.920]  that I've extracted from ATT&CK,
[24:04.920 --> 24:07.580]  pulled out of their page that's in there.
[24:07.660 --> 24:09.520]  Again, everything that's here is only based
[24:09.520 --> 24:11.560]  on open source threat intelligence reporting.
[24:11.560 --> 24:14.620]  So it has the limitations of that.
[24:15.440 --> 24:18.800]  And so that's, this is the sum total
[24:18.800 --> 24:21.520]  of all of those threat intelligence reports
[24:21.520 --> 24:22.980]  we mapped with Turla.
[24:25.780 --> 24:28.860]  Okay, so we've got a pile of intel.
[24:29.260 --> 24:31.280]  What do we actually do with it?
[24:31.280 --> 24:32.960]  You know, is this any good?
[24:32.960 --> 24:35.440]  Do we have a picture of the adversary yet?
[24:35.700 --> 24:37.840]  And so we're going to need to go through some more work
[24:38.780 --> 24:41.080]  to figure out what we've got,
[24:41.080 --> 24:43.320]  you know, what the adversary is trying to do.
[24:43.440 --> 24:45.540]  And do we even have enough of a picture
[24:45.540 --> 24:47.560]  to be able to make a plan here?
[24:48.260 --> 24:50.240]  So the first two steps I'm going to work through
[24:50.240 --> 24:53.720]  are establishing the adversary's goal.
[24:53.720 --> 24:56.420]  So what is it that they're trying to do?
[24:56.420 --> 24:59.180]  Understand their modus operandi a little bit better
[24:59.680 --> 25:04.960]  in terms of what we're later going to want to operate like.
[25:05.080 --> 25:06.600]  And an important point to remember
[25:06.600 --> 25:11.440]  is that this goal is probably not technical.
[25:11.720 --> 25:14.160]  The adversary is probably not focused
[25:14.160 --> 25:15.860]  on getting domain administrator
[25:15.860 --> 25:18.200]  or stealing a particular password.
[25:18.200 --> 25:20.420]  They're probably interested in fulfilling
[25:20.420 --> 25:23.480]  an intelligence requirement.
[25:23.480 --> 25:25.720]  You know, they have some piece of information
[25:26.300 --> 25:28.800]  that they want to steal from your environment.
[25:30.400 --> 25:33.480]  So the goal is likely to be something more like data theft
[25:33.980 --> 25:35.600]  or to stop you from operating
[25:36.540 --> 25:38.680]  than, you know, hack the Gibson
[25:39.300 --> 25:41.800]  or, you know, brick a particular computer.
[25:43.220 --> 25:44.940]  After you've determined what that goal is,
[25:44.940 --> 25:46.540]  you need to look at what the gaps are
[25:46.540 --> 25:49.900]  between an adversary getting in and reaching that goal.
[25:50.420 --> 25:52.060]  What is it I don't know about the middle
[25:52.060 --> 25:56.140]  that would let me look like that adversary?
[25:57.720 --> 26:00.620]  So to go through those first two steps of it,
[26:00.620 --> 26:02.900]  so establishing an adversary goal.
[26:03.420 --> 26:05.560]  You could take a look at which tactics
[26:06.100 --> 26:07.600]  the adversary is using.
[26:07.600 --> 26:10.800]  So we can see that TERLA has some stuff
[26:10.800 --> 26:12.480]  in collection and exfiltration.
[26:12.480 --> 26:14.300]  They've got nothing in impact.
[26:14.300 --> 26:17.380]  But instead, I'm going to go back to the original reporting.
[26:18.260 --> 26:21.920]  So this is a Kaspersky report on TERLA.
[26:22.120 --> 26:24.600]  And so they talk about how TERLA went through,
[26:24.600 --> 26:26.540]  they're searching for emails.
[26:26.540 --> 26:28.180]  They were specifically looking for emails
[26:28.180 --> 26:30.380]  related to NATO energy dialogue.
[26:30.380 --> 26:32.660]  And then shortly afterwards, the report talks about them
[26:32.660 --> 26:34.140]  exfiling the information.
[26:34.140 --> 26:36.420]  So, okay, they're stealing information
[26:36.420 --> 26:38.820]  around particular topics.
[26:39.900 --> 26:42.120]  Similarly, an ESET report.
[26:42.120 --> 26:43.420]  They're going through,
[26:43.420 --> 26:47.000]  they're getting into the victim's Microsoft SQL database.
[26:47.000 --> 26:48.800]  Pulling documents out of it,
[26:48.800 --> 26:50.040]  and again, exfiling,
[26:50.040 --> 26:52.740]  and taking specific information.
[26:53.580 --> 26:55.720]  So we've got a relatively clear picture,
[26:55.720 --> 26:57.060]  and we can look at other reports
[26:57.060 --> 26:58.660]  and see the same thing,
[26:58.660 --> 27:00.840]  where over and over and over again,
[27:00.840 --> 27:03.400]  TERLA is stealing information.
[27:03.400 --> 27:05.240]  So it looks like they're focused on
[27:05.780 --> 27:09.200]  theft of information and exfiltration.
[27:12.980 --> 27:16.480]  So I said that we need to then
[27:16.480 --> 27:20.240]  examine gaps between access and goal.
[27:20.760 --> 27:23.080]  I'm going to cover for a few minutes first,
[27:23.080 --> 27:24.740]  why are there gaps?
[27:24.880 --> 27:26.940]  So we've got this intel,
[27:26.940 --> 27:29.180]  it's an attack, it's all out there.
[27:29.260 --> 27:31.520]  Why isn't that enough for us
[27:31.520 --> 27:33.640]  to be able to work with?
[27:34.500 --> 27:35.780]  Open source intelligence
[27:35.780 --> 27:38.820]  likely doesn't paint a complete picture
[27:38.820 --> 27:40.300]  of an adversary.
[27:40.640 --> 27:42.940]  Frankly, commercial and closed intelligence
[27:42.940 --> 27:44.680]  probably doesn't either.
[27:44.680 --> 27:46.460]  So there are biases
[27:46.480 --> 27:48.720]  in the information, in how it's gathered,
[27:48.720 --> 27:50.340]  and what information is gathered,
[27:50.340 --> 27:54.280]  as well as nobody has perfect visibility.
[27:54.420 --> 27:57.440]  It's very rare that you have intelligence
[27:57.440 --> 28:00.820]  that tells you everything an adversary does
[28:00.820 --> 28:02.440]  from the point when a victim clicks
[28:02.440 --> 28:04.340]  to the point when they actually
[28:04.340 --> 28:06.260]  are stealing information.
[28:07.840 --> 28:09.920]  And by putting it into attack,
[28:09.920 --> 28:11.240]  we add our own problems.
[28:11.240 --> 28:12.900]  So group intelligence in attack
[28:13.480 --> 28:15.940]  is subject to our own biases,
[28:15.940 --> 28:17.400]  and then we're very similar.
[28:18.080 --> 28:19.500]  And, you know, we're adding on
[28:19.500 --> 28:20.780]  to the biases that are coming
[28:20.780 --> 28:22.720]  from this open source intelligence.
[28:22.720 --> 28:24.580]  So some of that is from how we map
[28:24.580 --> 28:26.020]  from these intelligence reports
[28:26.020 --> 28:28.740]  and what it is we actually choose to come in.
[28:29.680 --> 28:32.980]  Now, bias is usually a negative word
[28:32.980 --> 28:33.960]  in the English language.
[28:33.960 --> 28:35.280]  It sounds bad, you know,
[28:35.280 --> 28:38.240]  sounds like we may not like
[28:38.240 --> 28:39.240]  certain intelligence,
[28:39.240 --> 28:40.760]  but in threat intelligence,
[28:40.760 --> 28:42.560]  we accept that all sources
[28:46.160 --> 28:46.720]  have certain information.
[28:46.720 --> 28:48.520]  And so we work to understand those
[28:48.520 --> 28:49.460]  and what they are
[28:49.460 --> 28:51.660]  so that we can account for them.
[28:54.220 --> 28:56.640]  So some of why we have
[28:56.640 --> 28:59.000]  these biases in our reporting.
[29:02.280 --> 29:03.820]  Any reporting source
[29:03.820 --> 29:06.440]  is going to have a visibility bias.
[29:07.040 --> 29:08.700]  There are only certain types
[29:08.700 --> 29:10.400]  of information that a given
[29:11.160 --> 29:12.700]  source is going to have,
[29:12.700 --> 29:13.740]  and they might only have
[29:13.740 --> 29:15.040]  certain types of sensors.
[29:15.040 --> 29:16.680]  An incident response firm may only
[29:19.340 --> 29:20.440]  have whatever sensors were in the
[29:20.440 --> 29:22.300]  environment at the time.
[29:23.000 --> 29:24.780]  Whereas things that can only be
[29:25.240 --> 29:26.880]  seen in real time,
[29:26.880 --> 29:28.420]  so maybe decoded command and control
[29:28.420 --> 29:30.860]  traffic or registry monitoring,
[29:30.860 --> 29:32.060]  other things that don't really leave
[29:32.060 --> 29:33.680]  much of a forensic trace,
[29:33.680 --> 29:36.660]  might not be in their visibility.
[29:38.300 --> 29:40.640]  So there's novelty bias.
[29:40.840 --> 29:43.680]  So I'm kind of a beer snob.
[29:43.680 --> 29:46.420]  In normal pre-COVID times,
[29:46.420 --> 29:49.180]  I walk into a good beer bar,
[29:49.340 --> 29:50.660]  I look at the taps that are there,
[29:51.260 --> 29:52.400]  and I see
[29:53.240 --> 29:54.640]  a bunch of stuff I've had before.
[29:54.640 --> 29:56.520]  It's been on my untapped list for
[29:57.240 --> 29:59.720]  years now, and I see the one tap
[29:59.720 --> 30:01.520]  that was the thing I've wanted to try
[30:01.520 --> 30:02.660]  for a while.
[30:03.160 --> 30:05.320]  Reporting can be a lot like that.
[30:05.320 --> 30:07.740]  So I've got my reports,
[30:07.740 --> 30:08.700]  I've got my
[30:09.440 --> 30:11.640]  APT 1-8 report where
[30:11.640 --> 30:13.400]  I've got a new actor,
[30:13.400 --> 30:14.500]  we've never seen him before,
[30:14.500 --> 30:16.280]  they're doing something new,
[30:16.280 --> 30:18.100]  and I've got my APT Elite report.
[30:18.100 --> 30:19.620]  I'm going to put out the one
[30:20.040 --> 30:21.740]  that's brand new,
[30:21.740 --> 30:23.860]  is more likely to make a headline.
[30:24.200 --> 30:26.300]  And so our intel is biased by this,
[30:26.300 --> 30:27.860]  where some reports are more likely
[30:27.860 --> 30:29.460]  to come out than others.
[30:31.640 --> 30:33.240]  As people are creating
[30:33.240 --> 30:34.880]  the intelligence in the first place,
[30:34.880 --> 30:36.780]  they have availability bias.
[30:36.980 --> 30:39.500]  Availability bias is a
[30:39.500 --> 30:41.460]  classic cognitive bias.
[30:41.460 --> 30:43.640]  I have some things that I am
[30:43.640 --> 30:44.960]  more familiar with,
[30:44.960 --> 30:46.940]  that I'm more used to seeing,
[30:46.940 --> 30:48.920]  that I'm more likely to recognize.
[30:49.140 --> 30:50.980]  So somebody who's done a ton
[30:50.980 --> 30:52.520]  of incident response,
[30:52.520 --> 30:54.660]  they've seen PowerShell over
[30:54.660 --> 30:56.440]  and over again, they might be more
[30:56.440 --> 30:58.300]  likely to notice the PowerShell activity
[30:58.740 --> 31:00.440]  and not notice that,
[31:00.440 --> 31:02.560]  say the adversary got into the
[31:02.560 --> 31:04.260]  BIOS over here or something
[31:04.720 --> 31:06.220]  super novel.
[31:07.940 --> 31:09.400]  Victim bias.
[31:09.400 --> 31:11.700]  So there are some victims where
[31:11.700 --> 31:13.800]  there is more likely for reporting
[31:13.800 --> 31:15.320]  to come out than others.
[31:15.680 --> 31:17.780]  So there are only
[31:17.780 --> 31:19.040]  certain firms that can afford
[31:19.500 --> 31:20.960]  some of the companies that are
[31:20.960 --> 31:22.120]  putting out a lot of this threat
[31:22.120 --> 31:23.720]  intelligence reporting.
[31:23.960 --> 31:25.620]  Some victims are also in industries
[31:25.620 --> 31:26.840]  where they're a lot more likely
[31:26.840 --> 31:29.660]  to allow reports to come out.
[31:29.800 --> 31:31.660]  There may be issues with regulators
[31:31.660 --> 31:33.460]  if there's any information about
[31:33.460 --> 31:34.980]  them having been hacked.
[31:35.400 --> 31:36.800]  And so who the victim is,
[31:36.800 --> 31:38.560]  is going to matter a lot for if
[31:38.560 --> 31:40.200]  we ever hear about it.
[31:43.800 --> 31:44.400]  Victim bias.
[31:44.600 --> 31:47.000]  So some sources write more
[31:47.000 --> 31:48.340]  reports than others.
[31:48.940 --> 31:50.500]  If, you know, one company
[31:51.120 --> 31:52.680]  is writing, you know,
[31:52.680 --> 31:54.700]  dozens and dozens of reports that
[31:54.700 --> 31:55.440]  all have
[31:56.620 --> 31:58.100]  active behaviors in them and
[31:58.100 --> 31:59.560]  another company is just putting
[31:59.560 --> 32:01.540]  out a couple,
[32:02.820 --> 32:03.780]  we're going to have more
[32:03.780 --> 32:04.860]  information to work with from
[32:04.860 --> 32:05.620]  another.
[32:06.740 --> 32:08.640]  And so I said we compound it.
[32:08.680 --> 32:10.720]  And so we add our own biases to
[32:10.720 --> 32:11.820]  these and the types of sources
[32:11.820 --> 32:12.980]  we select.
[32:13.120 --> 32:13.940]  And so a lot of the stuff I've
[32:13.940 --> 32:15.460]  been talking about is in terms
[32:15.460 --> 32:17.620]  of information from security
[32:17.620 --> 32:20.140]  vendors and threat
[32:20.140 --> 32:21.720]  intelligence firms.
[32:22.200 --> 32:24.100]  So 92% of the reports that
[32:24.100 --> 32:25.720]  we have in ATT&CK,
[32:25.720 --> 32:27.060]  as a point when I made this
[32:27.060 --> 32:29.020]  slide, are coming from security
[32:29.020 --> 32:29.980]  vendors.
[32:30.060 --> 32:31.560]  3% are coming from government
[32:31.560 --> 32:32.260]  reports.
[32:32.260 --> 32:33.520]  These are things like public
[32:33.520 --> 32:35.500]  indictments and other public
[32:35.500 --> 32:37.380]  available government reports.
[32:37.520 --> 32:38.840]  And a few are coming from press
[32:38.840 --> 32:39.540]  reports.
[32:39.800 --> 32:42.460]  Sometimes there's an article
[32:42.460 --> 32:44.060]  in Wired or the Register that
[32:44.060 --> 32:46.080]  describes really good, unique
[32:46.080 --> 32:47.940]  adversary activity.
[32:48.860 --> 32:50.320]  We have our own availability
[32:50.320 --> 32:51.500]  bias.
[32:51.540 --> 32:53.200]  So in that mapping process of
[32:53.200 --> 32:55.200]  going through reports, we've
[32:55.200 --> 32:56.980]  reduced the number of techniques
[32:56.980 --> 32:58.940]  in ATT&CK a little bit recently,
[32:58.940 --> 33:01.100]  but there's still over 160 of
[33:01.100 --> 33:01.960]  them.
[33:02.240 --> 33:03.920]  And so it's hard
[33:03.920 --> 33:05.440]  for us to keep a working set
[33:05.440 --> 33:08.140]  of all of those techniques.
[33:08.140 --> 33:09.340]  And so we've got the techniques
[33:09.340 --> 33:10.920]  that we remember in there and
[33:10.920 --> 33:12.860]  are at the tip of our tongue.
[33:12.860 --> 33:14.220]  And then we have the techniques
[33:14.800 --> 33:17.080]  in ATT&CK, like hidden file
[33:17.080 --> 33:19.240]  system that we almost never
[33:19.240 --> 33:21.080]  see in reporting.
[33:22.340 --> 33:24.600]  We have our own novelty bias.
[33:24.600 --> 33:26.360]  So we've got, you know,
[33:26.360 --> 33:27.860]  dozens and dozens of reports
[33:27.860 --> 33:30.560]  on FuzzyDeck using PowerShell.
[33:30.560 --> 33:32.300]  But we've got this one brand
[33:32.300 --> 33:34.340]  new report on APT Elite using
[33:34.340 --> 33:36.240]  transmitted data manipulation,
[33:36.400 --> 33:37.620]  a fairly new technique.
[33:38.140 --> 33:39.580]  We're probably going to go
[33:39.580 --> 33:41.620]  for the shiny new report.
[33:43.940 --> 33:44.880]  And so if you're using
[33:44.880 --> 33:46.520]  Intel from ATT&CK, there's a
[33:46.520 --> 33:48.190]  couple of other caveats to
[33:48.660 --> 33:51.100]  realize.
[33:51.100 --> 33:53.020]  So our reporting that we've
[33:53.020 --> 33:54.640]  got in there on a given group
[33:54.640 --> 33:57.140]  page is from all different
[33:57.140 --> 33:59.780]  time periods combined.
[33:59.780 --> 34:01.240]  There's some reasons why
[34:01.240 --> 34:03.180]  we do this.
[34:03.180 --> 34:03.920]  Reporting frequently doesn't
[34:03.920 --> 34:05.620]  say when the activity happened.
[34:05.620 --> 34:07.600]  So a report, we might
[34:07.600 --> 34:08.720]  have a date on the report
[34:08.720 --> 34:12.040]  itself, not always, and a
[34:12.040 --> 34:14.000]  pox on people that put out
[34:14.000 --> 34:15.140]  threat intelligence reports
[34:15.140 --> 34:16.380]  about dates.
[34:16.380 --> 34:18.400]  But we don't even know
[34:18.400 --> 34:19.420]  necessarily when the intrusion
[34:19.420 --> 34:21.360]  happened. And I've seen
[34:21.360 --> 34:22.460]  reporting where I know the
[34:22.460 --> 34:23.580]  intrusion that they were
[34:23.580 --> 34:24.640]  talking about was four or
[34:24.640 --> 34:26.220]  five years old, where it
[34:26.220 --> 34:27.080]  sounded like they were
[34:27.080 --> 34:28.360]  talking about something
[34:29.560 --> 34:30.140]  recent.
[34:30.140 --> 34:31.200]  Some reports might only talk
[34:31.200 --> 34:31.520]  about a small range of
[34:31.520 --> 34:32.900]  activity. So some why we
[34:32.900 --> 34:34.260]  end up adding stuff together
[34:34.260 --> 34:36.400]  is so that we can talk
[34:36.400 --> 34:38.100]  enough about a single
[34:38.100 --> 34:39.800]  actor to paint a picture.
[34:39.800 --> 34:40.860]  So if I only have one
[34:40.860 --> 34:42.440]  report with, you know, ten
[34:42.440 --> 34:44.100]  techniques in it, it's
[34:44.100 --> 34:45.500]  probably not telling me the
[34:45.500 --> 34:46.740]  range of activity that an
[34:46.740 --> 34:48.080]  actor can do.
[34:49.740 --> 34:51.520]  Our group pages only
[34:51.520 --> 34:52.700]  include behaviors that are
[34:52.700 --> 34:54.360]  directly tied to actor
[34:54.360 --> 34:55.460]  activity.
[34:55.540 --> 34:56.880]  So our standards for what
[34:56.880 --> 34:57.800]  we're adding into those
[34:57.800 --> 34:59.720]  pages is that the reporting
[34:59.720 --> 35:01.120]  says that the actor did
[35:01.120 --> 35:01.720]  it.
[35:02.140 --> 35:03.160]  And so that doesn't include
[35:03.160 --> 35:04.440]  behaviors of software that
[35:04.440 --> 35:05.560]  adversaries use.
[35:05.560 --> 35:08.680]  So if there is a malware
[35:08.680 --> 35:10.180]  analysis report out there
[35:10.180 --> 35:11.400]  that we're putting in attack,
[35:11.400 --> 35:12.460]  that's going on those
[35:12.460 --> 35:13.620]  software pages.
[35:13.820 --> 35:15.540]  And we're not including that
[35:15.540 --> 35:16.580]  into the activity of the
[35:16.580 --> 35:17.880]  given adversary.
[35:17.960 --> 35:19.120]  And finally, the reporting
[35:19.120 --> 35:20.020]  we're using doesn't always
[35:20.020 --> 35:21.600]  agree on attribution.
[35:21.940 --> 35:23.240]  And so we're sometimes
[35:23.240 --> 35:25.020]  left trying to figure out
[35:25.020 --> 35:26.360]  what the heck group we
[35:26.360 --> 35:27.360]  should be even putting this
[35:27.360 --> 35:27.960]  into.
[35:27.960 --> 35:29.480]  And hopefully in most cases
[35:29.480 --> 35:30.460]  it's accurate.
[35:32.000 --> 35:33.860]  So that sounds awful.
[35:33.860 --> 35:34.720]  You know, so what do we
[35:34.720 --> 35:35.600]  what do we do about it?
[35:35.600 --> 35:36.500]  I've talked about this as
[35:36.500 --> 35:37.840]  our source of intel.
[35:37.840 --> 35:38.660]  And now I've talked about
[35:38.660 --> 35:40.580]  all these problems with it.
[35:40.800 --> 35:42.320]  So the important part
[35:42.320 --> 35:43.680]  is to understand that
[35:43.680 --> 35:45.200]  there are these types
[35:45.200 --> 35:46.540]  of limitations and biases
[35:46.540 --> 35:47.900]  in the intel that we're
[35:47.900 --> 35:49.000]  using to do this
[35:49.520 --> 35:50.480]  emulation.
[35:51.280 --> 35:52.600]  Once we know that there
[35:52.600 --> 35:53.700]  are these limitations and
[35:53.700 --> 35:54.740]  gaps are there,
[35:54.740 --> 35:56.400]  we can start to determine
[35:56.400 --> 35:57.740]  where the gaps are in our
[35:57.740 --> 35:59.340]  specific intelligence.
[35:59.680 --> 36:01.100]  And so we don't
[36:01.100 --> 36:02.140]  just throw up our hands
[36:02.140 --> 36:03.780]  and say, well, I don't
[36:03.780 --> 36:05.080]  know anything.
[36:05.100 --> 36:06.440]  I'm just going back to
[36:06.440 --> 36:08.240]  normal red teaming.
[36:08.240 --> 36:09.240]  We need to account for
[36:09.240 --> 36:10.520]  these gaps and
[36:11.320 --> 36:12.780]  fill them in as we build
[36:12.780 --> 36:13.740]  our adversary emulation
[36:13.740 --> 36:14.900]  plan.
[36:17.320 --> 36:18.380]  That was a long aside
[36:18.760 --> 36:20.100]  away from Turla.
[36:20.140 --> 36:21.960]  But let's start to look
[36:21.960 --> 36:23.660]  at how we might spot
[36:23.660 --> 36:25.400]  gaps in our
[36:25.400 --> 36:26.260]  specific adversary
[36:26.260 --> 36:27.380]  picture.
[36:27.740 --> 36:29.380]  So taking Turla as
[36:29.380 --> 36:30.960]  an example, how
[36:30.960 --> 36:32.280]  might we see some evidence
[36:32.280 --> 36:33.700]  that our information on
[36:33.700 --> 36:35.360]  Turla isn't perfect?
[36:37.060 --> 36:37.900]  I can first look for
[36:37.900 --> 36:39.320]  missing dependencies.
[36:40.000 --> 36:41.220]  So my colleague
[36:41.220 --> 36:42.680]  Amy Applebaum wrote a
[36:42.680 --> 36:44.000]  blog post a couple
[36:44.000 --> 36:46.140]  years back on
[36:46.140 --> 36:47.840]  trying to find related
[36:47.840 --> 36:49.220]  attack techniques.
[36:49.220 --> 36:50.960]  So both dependencies
[36:50.960 --> 36:52.280]  where in order to
[36:52.280 --> 36:53.440]  do one technique, you
[36:53.440 --> 36:54.600]  might need this other
[36:54.600 --> 36:56.400]  technique first, or
[36:56.400 --> 36:57.520]  techniques that are
[36:57.520 --> 36:58.840]  very often seen
[36:58.840 --> 36:59.160]  together.
[37:00.060 --> 37:01.620]  And so that can be a
[37:01.620 --> 37:03.120]  useful source for
[37:03.120 --> 37:04.480]  doing this.
[37:04.480 --> 37:05.300]  But I'm going to zoom
[37:05.300 --> 37:06.740]  in on a couple
[37:06.740 --> 37:08.660]  places in our
[37:08.660 --> 37:10.340]  profile of Turla.
[37:10.340 --> 37:10.980]  So let's look at
[37:10.980 --> 37:11.680]  initial access.
[37:11.680 --> 37:13.140]  So we've got some
[37:13.140 --> 37:14.400]  pretty simple
[37:14.400 --> 37:15.280]  techniques here
[37:17.140 --> 37:18.120]  that drive by
[37:18.120 --> 37:18.960]  compromise.
[37:18.960 --> 37:19.980]  We have fishing,
[37:19.980 --> 37:21.400]  spearfishing attachment,
[37:21.400 --> 37:23.880]  fishing, spearfishing
[37:23.880 --> 37:24.420]  link.
[37:24.420 --> 37:26.620]  Okay, relatively
[37:26.620 --> 37:27.240]  germane.
[37:27.240 --> 37:29.140]  But if they're doing
[37:27.160 --> 37:28.160]  each of these things,
[37:29.140 --> 37:29.720]  these successful
[37:29.720 --> 37:31.540]  intrusions, there
[37:31.540 --> 37:32.600]  are actions that
[37:32.600 --> 37:33.820]  need to follow that
[37:33.820 --> 37:35.460]  for the intrusion
[37:35.460 --> 37:35.780]  to have been
[37:35.780 --> 37:36.660]  successful as it
[37:36.660 --> 37:37.640]  was.
[37:37.940 --> 37:39.140]  So I take a look
[37:39.140 --> 37:40.780]  at our execution
[37:40.780 --> 37:42.060]  for Turla.
[37:42.340 --> 37:43.780]  And I look at,
[37:43.780 --> 37:44.100]  you know, I've got
[37:44.100 --> 37:44.860]  user execution
[37:44.860 --> 37:45.860]  malicious link.
[37:45.860 --> 37:47.160]  So they sent a
[37:47.160 --> 37:48.360]  malicious spearfishing
[37:48.360 --> 37:48.540]  link.
[37:48.540 --> 37:50.080]  We clicked on it.
[37:50.080 --> 37:51.240]  Okay.
[37:51.240 --> 37:52.260]  They sent us a
[37:52.260 --> 37:54.500]  spearfishing
[37:54.500 --> 37:55.000]  attachment.
[37:55.000 --> 37:56.180]  I don't actually
[37:56.180 --> 37:57.160]  have an execution
[37:57.160 --> 37:59.120]  technique for that.
[37:57.140 --> 37:58.140]  So there's
[37:59.120 --> 38:00.360]  clearly a gap here.
[38:00.800 --> 38:01.420]  It's something we
[38:01.420 --> 38:02.520]  probably need to fix.
[38:02.520 --> 38:03.980]  But it,
[38:05.080 --> 38:06.340]  there's, I would expect
[38:06.340 --> 38:07.300]  there to be here
[38:07.300 --> 38:08.600]  either user
[38:08.600 --> 38:09.540]  execution malicious
[38:09.540 --> 38:11.480]  file, or, you
[38:11.480 --> 38:11.940]  know, potentially
[38:11.940 --> 38:12.520]  if they're being
[38:12.520 --> 38:13.240]  really ninja
[38:13.240 --> 38:14.480]  exploitation for
[38:14.480 --> 38:15.860]  client execution.
[38:15.860 --> 38:16.320]  So, you know,
[38:16.320 --> 38:17.380]  maybe they're,
[38:17.380 --> 38:18.200]  maybe it's a user
[38:18.200 --> 38:18.840]  clicking on the
[38:18.840 --> 38:20.140]  attachment, or
[38:20.140 --> 38:21.000]  maybe they're popping
[38:21.000 --> 38:22.340]  the outlook.
[38:22.960 --> 38:24.360]  But something is
[38:24.360 --> 38:25.380]  missing here.
[38:27.220 --> 38:28.400]  We can also look
[38:28.400 --> 38:29.020]  for hints of
[38:29.020 --> 38:29.880]  dependencies, you
[38:29.880 --> 38:30.480]  know, and so we're
[38:30.480 --> 38:31.260]  trying to create
[38:31.260 --> 38:32.720]  something in the
[38:32.720 --> 38:34.200]  style of an adversary,
[38:34.200 --> 38:35.000]  not necessarily
[38:35.000 --> 38:36.360]  exactly what they
[38:36.360 --> 38:37.460]  did.
[38:37.680 --> 38:38.520]  But so I can look
[38:38.520 --> 38:39.340]  at something like
[38:39.340 --> 38:40.760]  lateral movement.
[38:40.760 --> 38:41.480]  So, okay, we
[38:41.480 --> 38:42.240]  see them doing
[38:42.240 --> 38:42.980]  lateral tool
[38:42.980 --> 38:44.520]  transfer and
[38:45.220 --> 38:45.680]  Samba
[38:45.680 --> 38:46.100]  Windows
[38:46.100 --> 38:46.440]  admin
[38:46.440 --> 38:47.580]  shares.
[38:48.120 --> 38:48.740]  Windows admin
[38:48.740 --> 38:49.600]  shares, if
[38:49.600 --> 38:50.280]  they're doing
[38:50.280 --> 38:50.880]  this technique,
[38:50.880 --> 38:51.300]  it's usually
[38:51.300 --> 38:51.880]  something where
[38:51.880 --> 38:52.240]  they're being
[38:52.240 --> 38:52.920]  driven by
[38:52.920 --> 38:53.820]  operating system
[38:53.820 --> 38:55.060]  credentials to
[38:55.060 --> 38:56.000]  get around the
[38:56.000 --> 38:56.880]  network.
[38:56.880 --> 38:57.680]  So, okay, there's
[38:57.680 --> 38:58.280]  something that
[38:58.280 --> 38:59.440]  should be in here
[38:59.440 --> 39:00.980]  as a credential
[39:00.980 --> 39:01.760]  access so that
[39:01.760 --> 39:02.340]  they've got the
[39:02.340 --> 39:02.980]  creds to do
[39:02.980 --> 39:03.860]  that.
[39:04.920 --> 39:05.600]  Well, what I've
[39:05.600 --> 39:06.600]  got here is
[39:06.600 --> 39:07.880]  brute force,
[39:07.880 --> 39:08.720]  which they could
[39:08.720 --> 39:09.520]  be using to
[39:09.520 --> 39:10.740]  do OS
[39:10.740 --> 39:11.780]  credentials.
[39:11.780 --> 39:12.280]  Credentials
[39:12.280 --> 39:12.880]  from password
[39:12.880 --> 39:13.460]  stores is
[39:13.460 --> 39:14.920]  usually other
[39:14.920 --> 39:15.460]  types of
[39:15.460 --> 39:16.260]  credentials rather
[39:16.260 --> 39:16.920]  than operating
[39:16.920 --> 39:18.120]  system.
[39:18.460 --> 39:19.040]  So I'd really
[39:19.040 --> 39:19.760]  expect there to
[39:19.760 --> 39:20.300]  be something
[39:20.300 --> 39:21.470]  more like OS
[39:21.960 --> 39:22.600]  credential
[39:22.600 --> 39:23.530]  dumping or
[39:24.640 --> 39:25.540]  something with
[39:25.540 --> 39:26.020]  Kerberos
[39:26.020 --> 39:26.920]  tickets.
[39:26.920 --> 39:27.440]  So domain
[39:27.440 --> 39:28.060]  authentication
[39:28.060 --> 39:29.340]  here.
[39:29.380 --> 39:30.200]  So a sign that
[39:30.200 --> 39:30.760]  I might have
[39:30.760 --> 39:31.540]  another gap that
[39:31.540 --> 39:32.480]  I need to deal
[39:32.480 --> 39:33.580]  with.
[39:36.480 --> 39:38.060]  Less dependable,
[39:38.060 --> 39:38.740]  but another way
[39:38.740 --> 39:39.280]  that we might be
[39:39.280 --> 39:39.700]  able to see
[39:39.700 --> 39:40.640]  signs of this
[39:40.640 --> 39:41.860]  is looking for
[39:41.860 --> 39:42.740]  things like
[39:42.740 --> 39:43.240]  unusually
[39:43.240 --> 39:43.600]  sparse
[39:43.600 --> 39:44.800]  tactics.
[39:45.980 --> 39:46.720]  So in the
[39:46.720 --> 39:47.100]  case of
[39:47.100 --> 39:47.960]  Turla,
[39:47.960 --> 39:48.740]  we've got an
[39:48.740 --> 39:49.540]  adversary who's
[39:49.540 --> 39:50.040]  been around
[39:50.040 --> 39:50.880]  since at least
[39:50.880 --> 39:52.080]  2004, as I said
[39:52.080 --> 39:52.560]  in the beginning
[39:52.560 --> 39:53.620]  of this.
[39:54.300 --> 39:55.380]  Most adversaries
[39:55.380 --> 39:56.500]  over time are
[39:56.500 --> 39:57.500]  definitely developing
[39:57.500 --> 39:58.640]  multiple techniques
[39:58.640 --> 39:59.420]  to do a given
[39:59.420 --> 40:00.340]  tactic that's
[40:00.340 --> 40:02.040]  important to them.
[40:02.580 --> 40:03.040]  And in the case
[40:03.040 --> 40:03.760]  of Turla, all
[40:03.760 --> 40:04.520]  we've got here
[40:04.520 --> 40:05.440]  for exfiltration
[40:05.440 --> 40:06.700]  is exfiltration
[40:06.700 --> 40:07.100]  of cloud
[40:07.100 --> 40:08.080]  storage.
[40:08.680 --> 40:09.540]  And another
[40:09.540 --> 40:10.220]  reason why
[40:10.220 --> 40:10.820]  that's a little
[40:10.820 --> 40:11.520]  bit suspicious
[40:11.520 --> 40:12.220]  for Turla
[40:12.940 --> 40:14.200]  is that Turla
[40:14.200 --> 40:14.960]  is older than
[40:14.960 --> 40:15.920]  cloud storage,
[40:15.920 --> 40:16.700]  at least in the
[40:16.700 --> 40:17.220]  sense that we
[40:17.220 --> 40:17.660]  would generally
[40:17.660 --> 40:19.180]  mean by it.
[40:19.520 --> 40:20.140]  And so there's
[40:20.140 --> 40:21.600]  some signs that
[40:21.600 --> 40:22.640]  there might be
[40:22.640 --> 40:23.620]  another gap
[40:23.620 --> 40:24.060]  here in our
[40:24.060 --> 40:24.520]  picture of
[40:24.520 --> 40:25.340]  Turla.
[40:27.840 --> 40:28.820]  Okay, so if
[40:28.820 --> 40:29.420]  there are gaps
[40:29.420 --> 40:30.780]  and we don't
[40:30.780 --> 40:31.620]  have necessarily
[40:31.620 --> 40:32.400]  everything we
[40:32.400 --> 40:33.120]  need to get
[40:33.120 --> 40:34.500]  from the
[40:34.500 --> 40:35.120]  adversary getting
[40:35.120 --> 40:36.480]  in to achieving
[40:36.480 --> 40:37.680]  their goal,
[40:37.680 --> 40:38.080]  let's look at
[40:38.080 --> 40:38.580]  some ways of
[40:38.580 --> 40:39.360]  filling these in
[40:39.360 --> 40:40.060]  in a logical
[40:40.060 --> 40:41.480]  fashion that
[40:41.480 --> 40:42.620]  sticks to the
[40:42.620 --> 40:43.100]  spirit of the
[40:43.100 --> 40:43.760]  adversary as
[40:43.760 --> 40:44.200]  much as
[40:44.200 --> 40:45.280]  possible.
[40:46.160 --> 40:46.920]  I'm going to go
[40:46.920 --> 40:47.820]  over four techniques
[40:47.820 --> 40:48.620]  for filling in
[40:48.620 --> 40:49.560]  gaps.
[40:49.680 --> 40:50.740]  First is
[40:50.740 --> 40:51.540]  adding techniques
[40:51.860 --> 40:52.760]  from the software
[40:52.760 --> 40:53.240]  that the
[40:53.240 --> 40:54.780]  adversary is using.
[40:54.860 --> 40:55.720]  I'm going to fill
[40:55.720 --> 40:56.300]  in some of those
[40:56.300 --> 40:57.200]  dependencies that I
[40:57.200 --> 40:58.080]  just identified
[40:58.080 --> 40:59.640]  and add those
[40:59.640 --> 41:00.520]  in.
[41:00.520 --> 41:01.060]  I'm going to take
[41:01.160 --> 41:01.680]  a look at peer
[41:02.040 --> 41:02.680]  adversaries.
[41:02.680 --> 41:03.780]  So maybe we're
[41:03.780 --> 41:04.620]  still not able to
[41:04.620 --> 41:05.000]  get enough
[41:05.000 --> 41:06.100]  intelligence on
[41:06.100 --> 41:06.680]  stuff that's
[41:06.680 --> 41:07.660]  directly related
[41:07.660 --> 41:09.520]  to the one
[41:09.520 --> 41:10.720]  we've chosen.
[41:10.780 --> 41:11.420]  Let's look at
[41:11.420 --> 41:12.020]  their peers.
[41:12.020 --> 41:12.520]  Let's look at
[41:12.520 --> 41:13.480]  people who are
[41:13.480 --> 41:14.420]  operating like
[41:14.420 --> 41:15.320]  them.
[41:15.320 --> 41:16.660]  And we can borrow
[41:16.660 --> 41:17.960]  from as well.
[41:18.200 --> 41:18.980]  And finally, if
[41:18.980 --> 41:19.560]  all of that
[41:19.560 --> 41:21.020]  fails, let's
[41:21.020 --> 41:21.420]  look at what
[41:21.420 --> 41:22.000]  lots of
[41:22.270 --> 41:22.700]  adversaries are
[41:22.700 --> 41:23.440]  doing.
[41:23.440 --> 41:24.240]  It might be
[41:24.240 --> 41:24.760]  something that
[41:24.760 --> 41:25.420]  they're doing as
[41:25.420 --> 41:26.200]  well.
[41:28.180 --> 41:29.320]  So if I go back
[41:29.320 --> 41:29.860]  to the attack
[41:29.860 --> 41:30.540]  group page,
[41:30.540 --> 41:31.260]  this is all
[41:31.260 --> 41:31.800]  the software
[41:31.800 --> 41:33.420]  that we've
[41:33.420 --> 41:34.720]  associated with
[41:34.720 --> 41:35.620]  Terla.
[41:35.760 --> 41:36.660]  There's a mix of
[41:36.660 --> 41:37.440]  different types of
[41:37.440 --> 41:38.720]  things in here.
[41:39.060 --> 41:39.980]  For starters, we
[41:39.980 --> 41:41.060]  have what I'm
[41:41.060 --> 41:41.380]  going to call
[41:41.380 --> 41:42.580]  utilities.
[41:43.040 --> 41:43.880]  So these are
[41:43.880 --> 41:45.260]  tools that are
[41:45.260 --> 41:46.680]  in every case,
[41:46.680 --> 41:47.380]  but PSExec
[41:47.380 --> 41:47.960]  built into
[41:47.960 --> 41:49.120]  Windows.
[41:49.260 --> 41:49.860]  PSExec
[41:49.860 --> 41:50.580]  obviously being
[41:50.580 --> 41:51.340]  part of Sys
[41:51.340 --> 41:52.000]  internal, so
[41:52.000 --> 41:52.500]  something that
[41:52.500 --> 41:54.100]  they probably
[41:54.100 --> 41:55.080]  downloaded over
[41:55.080 --> 41:55.900]  the course of
[41:55.900 --> 41:57.060]  the intrusion.
[41:57.060 --> 41:57.580]  But it's a
[41:57.580 --> 41:58.240]  general purpose
[41:58.240 --> 41:59.000]  tools that
[41:59.000 --> 41:59.500]  anyone's going
[41:59.500 --> 42:00.140]  to have
[42:00.140 --> 42:00.940]  access to
[42:02.500 --> 42:03.220]  it.
[42:03.220 --> 42:04.320]  Next, we've
[42:04.320 --> 42:05.140]  got public
[42:05.140 --> 42:05.740]  tools.
[42:05.740 --> 42:06.300]  So our
[42:09.060 --> 42:10.060]  public
[42:06.300 --> 42:06.520]  offensive
[42:06.520 --> 42:07.780]  tools.
[42:08.220 --> 42:08.920]  Terla, like a
[42:08.920 --> 42:09.640]  lot of actors
[42:09.640 --> 42:10.820]  out there, is
[42:10.820 --> 42:11.700]  a user of
[42:11.700 --> 42:13.380]  MimiCats, as
[42:13.380 --> 42:14.640]  well as
[42:14.640 --> 42:15.060]  Empire.
[42:15.060 --> 42:16.000]  And so this is
[42:16.000 --> 42:16.200]  something that,
[42:16.200 --> 42:17.420]  you know, it's
[42:17.420 --> 42:17.920]  not just
[42:17.920 --> 42:18.120]  specific to
[42:18.120 --> 42:19.120]  Terla.
[42:19.120 --> 42:19.960]  We see tons
[42:19.960 --> 42:20.900]  of different
[42:22.940 --> 42:23.360]  adversaries
[42:23.360 --> 42:24.760]  using.
[42:25.060 --> 42:26.880]  But Terla
[42:26.880 --> 42:28.220]  has a lot
[42:28.220 --> 42:28.580]  of possibly
[42:28.580 --> 42:29.520]  unique software.
[42:29.520 --> 42:30.300]  So these are
[42:30.300 --> 42:31.080]  pieces of
[42:31.080 --> 42:31.820]  software we
[42:32.300 --> 42:33.300]  have listed
[42:33.300 --> 42:34.300]  for no
[42:34.300 --> 42:35.300]  other adversary
[42:31.820 --> 42:33.020]  but Terla.
[42:33.220 --> 42:34.280]  We think
[42:34.280 --> 42:34.980]  that maybe
[42:35.760 --> 42:36.280]  they were
[42:36.280 --> 42:36.920]  written for
[42:36.920 --> 42:37.380]  them or
[42:37.380 --> 42:37.960]  written by
[42:37.960 --> 42:39.300]  them, but we
[42:39.300 --> 42:39.980]  at least don't
[42:39.980 --> 42:40.740]  have evidence of
[42:40.740 --> 42:41.860]  them being
[42:41.860 --> 42:43.300]  used elsewhere.
[42:43.820 --> 42:44.280]  And so for
[42:44.280 --> 42:44.880]  filling in
[42:44.880 --> 42:45.860]  software, I'm
[42:45.860 --> 42:46.280]  going to start
[42:46.280 --> 42:46.980]  with just
[42:46.980 --> 42:47.700]  this possibly
[42:47.700 --> 42:48.120]  unique
[42:48.120 --> 42:48.580]  to Terla
[42:48.580 --> 42:49.500]  set.
[42:49.620 --> 42:50.280]  And I've
[42:50.280 --> 42:51.460]  got a
[42:51.460 --> 42:51.940]  couple of
[42:51.940 --> 42:52.280]  reasons I'm
[42:52.280 --> 42:52.540]  going to
[42:52.540 --> 42:53.940]  do that.
[42:53.940 --> 42:54.740]  So the
[42:54.740 --> 42:55.200]  first is
[42:55.200 --> 42:56.400]  that some
[42:56.400 --> 42:56.680]  of the
[42:56.680 --> 42:57.300]  other tools
[42:57.300 --> 42:57.880]  like
[42:59.420 --> 43:00.020]  Mimi
[43:00.020 --> 43:00.800]  Cats,
[43:00.800 --> 43:01.980]  Empire, or
[43:01.980 --> 43:02.480]  if they've
[43:02.480 --> 43:03.000]  been using
[43:03.000 --> 43:03.600]  something like
[43:03.600 --> 43:05.180]  Cobalt, those
[43:05.180 --> 43:07.120]  tools have a
[43:07.120 --> 43:08.120]  ton of
[43:08.120 --> 43:09.920]  functionality.
[43:09.920 --> 43:10.120]  Off the top
[43:10.120 --> 43:10.440]  of my head,
[43:10.440 --> 43:10.840]  I think
[43:10.840 --> 43:11.040]  Cobalt,
[43:11.040 --> 43:12.420]  we've got
[43:12.420 --> 43:13.800]  over 65
[43:13.800 --> 43:14.100]  techniques
[43:14.100 --> 43:15.280]  mapped to.
[43:15.280 --> 43:15.800]  And so it
[43:15.800 --> 43:16.300]  starts to
[43:16.300 --> 43:17.100]  just color
[43:17.100 --> 43:18.180]  in the
[43:18.180 --> 43:18.340]  entire
[43:18.340 --> 43:19.180]  matrix, not
[43:23.200 --> 43:24.200]  necessarily
[43:19.180 --> 43:20.360]  the pieces
[43:20.360 --> 43:21.660]  that Terla
[43:21.660 --> 43:22.200]  is actually
[43:22.200 --> 43:23.220]  using.
[43:24.100 --> 43:24.980]  Something I've
[43:24.980 --> 43:25.540]  seen is that
[43:25.540 --> 43:26.800]  adversaries have a
[43:26.800 --> 43:27.620]  tendency to use
[43:27.620 --> 43:28.260]  more of the
[43:28.260 --> 43:28.540]  functionality of
[43:28.540 --> 43:29.220]  their own
[43:29.220 --> 43:30.400]  tools, too,
[43:30.400 --> 43:31.080]  than general
[43:31.080 --> 43:31.480]  purpose they're
[43:31.480 --> 43:31.660]  using.
[43:31.660 --> 43:32.440]  And that makes
[43:32.440 --> 43:35.180]  a lot of sense.
[43:35.180 --> 43:36.000]  If you are
[43:36.000 --> 43:36.560]  commissioning
[43:36.560 --> 43:37.380]  these or
[43:37.380 --> 43:38.340]  buying these
[43:38.340 --> 43:39.260]  tools, you're
[43:39.260 --> 43:39.420]  probably not
[43:39.420 --> 43:39.900]  going to ask
[43:39.900 --> 43:40.880]  for a lot of
[43:40.880 --> 43:41.160]  functionality
[43:41.160 --> 43:42.180]  that you
[43:42.880 --> 43:43.400]  never use.
[43:47.180 --> 43:48.180]  So if I
[43:43.400 --> 43:44.440]  take all of the
[43:44.440 --> 43:45.780]  techniques that
[43:45.780 --> 43:46.520]  are associated
[43:46.960 --> 43:47.700]  with each of
[43:47.700 --> 43:48.660]  these tools,
[43:48.660 --> 43:49.160]  add them
[43:49.160 --> 43:50.600]  together, I
[43:50.600 --> 43:51.160]  get something that
[43:51.160 --> 43:52.560]  looks like this.
[43:52.860 --> 43:54.080]  And again, I'll
[43:54.080 --> 43:54.600]  release the
[43:54.600 --> 43:55.320]  slides so you
[43:55.320 --> 43:56.440]  can zoom in a
[43:56.440 --> 43:57.600]  bit better.
[43:57.600 --> 43:58.700]  Right now, I'm
[43:58.700 --> 43:59.320]  just more
[43:59.320 --> 43:59.800]  showing sort of
[43:59.800 --> 44:00.280]  the shape of
[44:00.280 --> 44:01.440]  the coloring.
[44:01.440 --> 44:02.120]  You can see
[44:02.120 --> 44:03.000]  that this
[44:03.000 --> 44:03.540]  adds in
[44:03.540 --> 44:03.940]  activity
[44:04.240 --> 44:04.480]  across a
[44:04.480 --> 44:04.980]  lot of
[44:04.980 --> 44:05.720]  different
[44:05.720 --> 44:06.820]  tactics.
[44:06.820 --> 44:07.580]  So we've
[44:07.580 --> 44:08.260]  got a
[44:08.260 --> 44:09.140]  bunch of
[44:09.140 --> 44:09.460]  material
[44:09.460 --> 44:10.540]  here.
[44:11.040 --> 44:11.860]  And if I go
[44:11.860 --> 44:12.740]  back and add
[44:12.740 --> 44:13.300]  my Turla
[44:13.300 --> 44:14.200]  profile back
[44:14.200 --> 44:15.340]  into that,
[44:15.340 --> 44:16.740]  I've now got
[44:16.740 --> 44:17.420]  quite a bit
[44:17.420 --> 44:18.460]  more there.
[44:18.540 --> 44:19.280]  So blue was
[44:19.280 --> 44:19.860]  what we already
[44:19.860 --> 44:21.100]  had with Turla.
[44:21.100 --> 44:21.880]  Red is what we
[44:21.880 --> 44:22.880]  just added in
[44:22.880 --> 44:23.480]  with the
[44:23.480 --> 44:24.040]  software that
[44:24.040 --> 44:25.060]  they're using.
[44:25.380 --> 44:25.820]  And green is
[44:25.820 --> 44:26.460]  the overlap.
[44:26.460 --> 44:27.060]  So green is
[44:27.060 --> 44:27.900]  what we already
[44:27.900 --> 44:28.900]  had.
[44:29.260 --> 44:29.640]  And so I
[44:29.640 --> 44:30.100]  pointed out
[44:30.100 --> 44:30.700]  exfiltration
[44:30.700 --> 44:31.340]  was kind of
[44:31.340 --> 44:32.320]  thin in
[44:32.320 --> 44:32.660]  the original
[44:32.660 --> 44:33.800]  profile.
[44:34.620 --> 44:35.900]  Well, so adding
[44:35.900 --> 44:36.700]  in the software
[44:36.700 --> 44:37.180]  they're using
[44:37.180 --> 44:38.140]  has helped
[44:38.140 --> 44:38.800]  fill that in
[44:38.940 --> 44:39.420]  a bit.
[44:39.420 --> 44:40.000]  So we've now
[44:40.000 --> 44:40.480]  got something
[44:40.480 --> 44:42.440]  like not just
[44:42.440 --> 44:43.140]  cloud storage,
[44:43.140 --> 44:43.460]  but also
[44:43.460 --> 44:44.100]  exfiltration
[44:44.100 --> 44:44.580]  of a command
[44:44.580 --> 44:44.960]  and control
[44:44.960 --> 44:45.940]  channel.
[44:46.240 --> 44:46.660]  And so some
[44:46.660 --> 44:47.340]  more options
[44:47.340 --> 44:48.100]  for us to
[44:48.100 --> 44:48.540]  be able to
[44:48.540 --> 44:49.060]  work with
[44:49.060 --> 44:49.800]  too.
[44:52.330 --> 44:53.050]  So I've
[44:53.050 --> 44:53.470]  still got
[44:53.470 --> 44:53.810]  some of
[44:53.810 --> 44:54.190]  those missing
[44:54.190 --> 44:54.770]  dependencies
[44:54.770 --> 44:55.710]  though, even
[44:55.710 --> 44:56.430]  with the
[44:56.430 --> 44:57.030]  software added
[44:57.030 --> 44:57.550]  in.
[44:57.550 --> 44:58.150]  So the next
[44:58.150 --> 44:58.530]  thing I'm going
[44:58.530 --> 44:59.050]  to go through
[44:59.050 --> 44:59.810]  is filling
[44:59.810 --> 45:00.250]  the missing
[45:00.250 --> 45:01.370]  dependencies.
[45:01.570 --> 45:02.050]  I didn't
[45:02.050 --> 45:02.770]  actually find
[45:02.950 --> 45:03.150]  a lot of
[45:03.150 --> 45:03.950]  those in
[45:03.950 --> 45:04.230]  Turla
[45:04.230 --> 45:05.250]  specifically,
[45:05.250 --> 45:05.830]  but there
[45:05.830 --> 45:06.330]  are definitely
[45:06.330 --> 45:07.350]  actors where
[45:07.350 --> 45:07.950]  there are
[45:07.950 --> 45:08.410]  more of
[45:08.410 --> 45:08.750]  these that
[45:08.750 --> 45:09.890]  you'll find.
[45:10.210 --> 45:10.750]  And so I'm
[45:10.750 --> 45:10.950]  going to
[45:10.950 --> 45:11.590]  take the
[45:11.590 --> 45:12.270]  fairly simple
[45:12.270 --> 45:12.990]  step with
[45:12.990 --> 45:13.650]  the missing
[45:13.650 --> 45:14.170]  dependencies
[45:14.170 --> 45:15.130]  I'd found
[45:15.950 --> 45:16.690]  to simply
[45:16.690 --> 45:17.110]  fill them
[45:17.110 --> 45:17.710]  in.
[45:17.710 --> 45:18.290]  So, you know,
[45:18.290 --> 45:18.830]  we're trying to
[45:18.830 --> 45:19.370]  stick in the
[45:19.370 --> 45:19.830]  sphere of the
[45:19.830 --> 45:20.810]  adversary.
[45:21.150 --> 45:22.250]  They probably
[45:22.250 --> 45:22.870]  did these
[45:22.870 --> 45:23.450]  things in
[45:23.450 --> 45:24.210]  order to
[45:24.210 --> 45:24.890]  accomplish
[45:24.890 --> 45:25.390]  those other
[45:25.390 --> 45:26.010]  techniques or
[45:26.010 --> 45:26.590]  after those
[45:26.590 --> 45:26.830]  other
[45:26.830 --> 45:27.810]  techniques.
[45:27.930 --> 45:28.310]  So I'm
[45:28.310 --> 45:28.470]  going to
[45:28.470 --> 45:28.890]  bring those
[45:28.890 --> 45:29.230]  into our
[45:29.230 --> 45:30.250]  profile.
[45:32.330 --> 45:32.950]  So that
[45:32.950 --> 45:33.390]  now gives
[45:33.390 --> 45:35.870]  me a
[45:35.870 --> 45:36.710]  relatively
[45:37.190 --> 45:37.670]  well-fleshed
[45:37.670 --> 45:38.370]  out adversary
[45:38.370 --> 45:39.650]  profile.
[45:39.910 --> 45:40.370]  So this also
[45:40.370 --> 45:40.770]  isn't
[45:40.770 --> 45:41.410]  coloring in
[45:41.410 --> 45:42.070]  quite as
[45:42.070 --> 45:42.790]  much of
[45:42.790 --> 45:43.130]  the
[45:43.130 --> 45:43.550]  attack
[45:43.550 --> 45:43.930]  matrix
[45:43.930 --> 45:44.550]  as it
[45:44.550 --> 45:44.770]  might
[45:44.770 --> 45:45.070]  appear
[45:45.070 --> 45:45.990]  here.
[45:46.430 --> 45:47.330]  I have
[45:47.330 --> 45:47.610]  only
[45:47.610 --> 45:48.090]  expanded
[45:48.090 --> 45:48.310]  out
[45:48.310 --> 45:48.590]  sub
[45:48.590 --> 45:49.030]  techniques
[45:49.030 --> 45:49.870]  where
[45:49.870 --> 45:50.930]  there are
[45:50.930 --> 45:51.430]  techniques
[45:51.430 --> 45:51.930]  selected
[45:51.930 --> 45:53.030]  in them.
[45:53.110 --> 45:53.550]  So again,
[45:53.550 --> 45:53.890]  I'm trying
[45:53.890 --> 45:54.150]  to keep
[45:54.150 --> 45:54.330]  the
[45:55.650 --> 45:56.350]  matrix
[45:56.350 --> 45:56.730]  actually
[45:56.730 --> 45:57.150]  fitting on
[45:57.150 --> 45:58.030]  the slide.
[45:58.030 --> 45:59.770]  But there are
[45:59.770 --> 46:00.310]  quite a few
[46:00.310 --> 46:00.570]  sub
[46:00.570 --> 46:01.370]  techniques that
[46:01.370 --> 46:01.870]  are still
[46:01.870 --> 46:02.450]  tucked in
[46:02.450 --> 46:02.910]  here.
[46:02.910 --> 46:05.090]  So this is
[46:05.090 --> 46:05.670]  still keeping
[46:05.670 --> 46:06.410]  us to
[46:07.250 --> 46:07.730]  a scoping
[46:07.730 --> 46:09.150]  that is
[46:09.150 --> 46:09.930]  in the
[46:09.930 --> 46:10.910]  spirit of
[46:10.910 --> 46:11.930]  Turla.
[46:12.350 --> 46:12.710]  So I
[46:12.710 --> 46:13.230]  think we're
[46:13.230 --> 46:14.090]  good here.
[46:14.090 --> 46:14.590]  I think
[46:14.590 --> 46:15.070]  for Turla
[46:15.070 --> 46:16.210]  itself,
[46:16.210 --> 46:16.830]  this is
[46:16.830 --> 46:17.250]  probably
[46:17.250 --> 46:17.830]  sufficient
[46:17.830 --> 46:18.310]  for us
[46:18.310 --> 46:18.710]  to work
[46:18.710 --> 46:19.430]  with in
[46:19.430 --> 46:20.270]  any scenario
[46:20.270 --> 46:20.790]  we want to
[46:20.790 --> 46:21.690]  create.
[46:21.790 --> 46:22.750]  But what if I
[46:22.750 --> 46:23.130]  was working
[46:23.130 --> 46:23.670]  in an actor
[46:23.670 --> 46:24.310]  where I
[46:24.310 --> 46:24.750]  couldn't do
[46:24.750 --> 46:25.590]  that?
[46:25.810 --> 46:26.190]  So the
[46:26.190 --> 46:26.570]  next thing I
[46:26.570 --> 46:26.950]  can do
[46:26.950 --> 46:27.450]  is start
[46:27.450 --> 46:27.890]  examining
[46:27.890 --> 46:28.250]  peer
[46:28.250 --> 46:29.510]  adversaries.
[46:30.670 --> 46:31.050]  Turla
[46:31.050 --> 46:31.690]  is
[46:31.690 --> 46:32.030]  attributed
[46:32.030 --> 46:32.410]  to be
[46:32.630 --> 46:32.910]  a Russian
[46:32.910 --> 46:33.230]  state
[46:33.230 --> 46:33.570]  actor
[46:33.570 --> 46:33.730]  who
[46:33.730 --> 46:34.370]  likes to
[46:34.370 --> 46:34.590]  steal
[46:34.590 --> 46:35.790]  information.
[46:35.790 --> 46:36.450]  So who
[46:36.450 --> 46:36.790]  else in
[46:36.790 --> 46:37.090]  the tech
[46:37.090 --> 46:37.350]  do we
[46:37.350 --> 46:37.750]  have that
[46:37.750 --> 46:38.190]  looks like
[46:38.190 --> 46:38.990]  them?
[46:39.090 --> 46:39.990]  The ones
[46:39.990 --> 46:40.770]  that jump
[46:40.770 --> 46:41.470]  out are
[46:41.470 --> 46:42.570]  APT28 and
[46:42.570 --> 46:43.190]  29.
[46:43.190 --> 46:43.450]  These are
[46:43.450 --> 46:43.710]  the two
[46:43.710 --> 46:44.050]  groups
[46:44.050 --> 46:44.550]  that were
[46:44.550 --> 46:45.430]  attributed
[46:45.430 --> 46:45.790]  by the
[46:45.790 --> 46:45.970]  US
[46:45.970 --> 46:46.250]  government
[46:46.250 --> 46:46.610]  to be
[46:46.610 --> 46:46.950]  behind
[46:46.950 --> 46:47.290]  the
[46:47.290 --> 46:47.850]  DNC
[46:47.850 --> 46:48.210]  hacks
[46:48.390 --> 46:48.550]  a couple
[46:48.550 --> 46:48.810]  years
[46:48.810 --> 46:49.570]  ago.
[46:49.570 --> 46:50.070]  They
[46:50.070 --> 46:50.270]  have been
[46:50.270 --> 46:50.590]  very
[46:50.590 --> 46:51.750]  prolific.
[46:52.110 --> 46:53.370]  They do a
[46:53.370 --> 46:53.710]  wide range
[46:53.710 --> 46:54.010]  of their
[46:54.010 --> 46:54.570]  own
[46:54.570 --> 46:56.170]  activities.
[46:56.170 --> 46:59.070]  I could
[47:00.250 --> 47:00.590]  use them
[47:00.590 --> 47:01.350]  like this
[47:01.350 --> 47:01.830]  where I'm
[47:01.830 --> 47:02.530]  just taking
[47:02.530 --> 47:03.030]  every
[47:03.030 --> 47:03.250]  technique
[47:03.250 --> 47:03.670]  from
[47:03.670 --> 47:04.650]  both
[47:04.650 --> 47:05.190]  mashing
[47:05.190 --> 47:05.450]  them
[47:06.470 --> 47:06.990]  together
[47:06.990 --> 47:07.330]  or maybe
[47:07.330 --> 47:07.590]  I just
[47:07.590 --> 47:07.910]  want to
[47:07.910 --> 47:08.430]  use it
[47:08.430 --> 47:08.770]  as a
[47:08.770 --> 47:09.010]  way of
[47:09.010 --> 47:09.430]  seeing
[47:17.070 --> 47:18.070]  what's
[47:18.070 --> 47:19.070]  popular
[47:09.430 --> 47:09.830]  for them.
[47:09.830 --> 47:10.330]  So the
[47:11.070 --> 47:12.310]  green techniques
[47:12.310 --> 47:12.970]  are where
[47:12.970 --> 47:13.610]  there's overlap
[47:13.610 --> 47:14.370]  between these
[47:14.370 --> 47:14.570]  two
[47:14.570 --> 47:15.990]  adversaries.
[47:18.230 --> 47:19.290]  Lastly,
[47:19.290 --> 47:19.490]  you know,
[47:19.490 --> 47:20.550]  so if the
[47:20.550 --> 47:21.310]  peers aren't
[47:21.310 --> 47:22.430]  enough,
[47:22.950 --> 47:23.470]  maybe I can
[47:23.470 --> 47:24.010]  just look at
[47:24.010 --> 47:24.650]  what techniques
[47:24.650 --> 47:25.210]  are common
[47:25.210 --> 47:26.370]  out there.
[47:26.450 --> 47:27.470]  So a
[47:27.470 --> 47:28.270]  number of
[47:28.270 --> 47:29.010]  companies over
[47:29.010 --> 47:29.490]  the past
[47:29.490 --> 47:29.790]  couple
[47:29.790 --> 47:30.330]  years have
[47:30.330 --> 47:30.790]  started
[47:30.790 --> 47:31.250]  publishing
[47:31.250 --> 47:33.090]  annual reports
[47:33.090 --> 47:34.270]  on what
[47:37.430 --> 47:38.430]  attack
[47:34.270 --> 47:34.390]  techniques
[47:35.150 --> 47:35.870]  that they've
[47:35.870 --> 47:36.270]  seen over
[47:36.270 --> 47:36.690]  the past
[47:36.690 --> 47:37.410]  year.
[47:38.170 --> 47:38.470]  And so
[47:38.470 --> 47:39.150]  looking at
[47:39.290 --> 47:39.450]  a couple
[47:39.450 --> 47:39.550]  of
[47:39.550 --> 47:40.030]  companies'
[47:40.030 --> 47:41.090]  reports on
[47:41.090 --> 47:41.350]  what
[47:41.350 --> 47:41.750]  techniques
[47:41.750 --> 47:42.090]  they saw
[47:42.090 --> 47:43.470]  in 2019,
[47:43.470 --> 47:43.930]  we can
[47:43.930 --> 47:44.270]  start to
[47:44.270 --> 47:44.670]  use those
[47:44.670 --> 47:45.070]  to fill
[47:45.070 --> 47:46.050]  in gaps.
[47:46.750 --> 47:47.210]  So the
[47:47.210 --> 47:47.530]  first one
[47:47.530 --> 47:47.770]  I'm going
[47:47.770 --> 47:48.150]  to use
[47:48.150 --> 47:48.890]  is red
[47:48.890 --> 47:49.550]  canary.
[47:49.550 --> 47:49.990]  So they
[47:49.990 --> 47:50.350]  put out
[47:50.430 --> 47:51.090]  a report.
[47:51.090 --> 47:51.490]  It's actually
[47:51.490 --> 47:51.990]  got top
[47:51.990 --> 47:52.790]  20 in it,
[47:52.790 --> 47:54.230]  but you can
[47:54.230 --> 47:54.730]  actually read
[47:54.730 --> 47:55.310]  the text on
[47:55.310 --> 47:56.270]  this one.
[47:56.870 --> 47:57.430]  So it
[47:57.430 --> 47:58.110]  is going
[47:58.110 --> 47:58.550]  through,
[47:58.550 --> 47:58.830]  and it's
[47:58.830 --> 47:59.550]  in order,
[47:59.550 --> 48:00.490]  but it's
[48:00.490 --> 48:01.090]  important to
[48:01.090 --> 48:01.790]  understand,
[48:01.790 --> 48:02.450]  again,
[48:02.450 --> 48:02.950]  what this
[48:02.950 --> 48:03.910]  means.
[48:03.930 --> 48:04.490]  This is
[48:04.490 --> 48:05.190]  the top
[48:05.190 --> 48:06.870]  10 techniques
[48:06.870 --> 48:08.310]  that they
[48:08.310 --> 48:08.850]  saw in
[48:08.850 --> 48:09.290]  the places
[48:09.290 --> 48:09.750]  that they
[48:09.750 --> 48:10.210]  have
[48:10.210 --> 48:10.790]  sensing
[48:10.790 --> 48:11.870]  in and
[48:11.870 --> 48:12.250]  compared
[48:12.250 --> 48:13.230]  with their
[48:13.230 --> 48:13.570]  actual
[48:13.570 --> 48:14.710]  detectors.
[48:15.030 --> 48:15.370]  So it's not
[48:15.370 --> 48:16.150]  necessarily the
[48:16.150 --> 48:16.590]  10 most
[48:16.590 --> 48:16.990]  popular
[48:16.990 --> 48:17.770]  techniques,
[48:17.770 --> 48:18.170]  it's the
[48:18.170 --> 48:18.570]  10 most
[48:18.570 --> 48:18.890]  popular
[48:18.890 --> 48:19.370]  techniques
[48:19.370 --> 48:20.470]  they saw.
[48:21.090 --> 48:21.370]  Another
[48:21.370 --> 48:25.750]  company who
[48:25.750 --> 48:26.270]  put out
[48:26.270 --> 48:27.030]  top 20
[48:27.030 --> 48:27.770]  techniques this
[48:27.770 --> 48:28.410]  year,
[48:28.410 --> 48:28.790]  I'm again
[48:28.790 --> 48:29.230]  cutting them
[48:29.230 --> 48:29.530]  down to
[48:29.530 --> 48:29.930]  10 for
[48:29.930 --> 48:31.970]  the slide,
[48:31.970 --> 48:32.390]  but you'll
[48:32.390 --> 48:32.970]  note that
[48:32.970 --> 48:33.430]  the only
[48:33.430 --> 48:33.890]  overlap
[48:33.890 --> 48:34.530]  between these
[48:34.530 --> 48:35.450]  two lists is
[48:35.450 --> 48:36.890]  process injection.
[48:36.950 --> 48:37.450]  So we may want
[48:37.450 --> 48:38.230]  to combine a couple
[48:38.230 --> 48:38.950]  of these together
[48:39.450 --> 48:39.950]  in order to
[48:39.950 --> 48:40.350]  see where the
[48:40.350 --> 48:42.230]  overlaps are,
[48:42.230 --> 48:43.390]  add their data,
[48:43.390 --> 48:44.330]  but these are
[48:44.330 --> 48:44.850]  giving us some
[48:44.850 --> 48:45.990]  ideas of things
[48:45.990 --> 48:46.610]  that we know at
[48:46.610 --> 48:47.490]  least have been
[48:47.490 --> 48:48.190]  out there in the
[48:48.190 --> 48:49.130]  wild a bunch
[48:49.130 --> 48:49.910]  in the past
[48:49.910 --> 48:50.630]  year.
[48:50.630 --> 48:51.410]  So it doesn't
[48:51.410 --> 48:51.930]  tell us that
[48:51.930 --> 48:52.510]  Turla did
[48:52.510 --> 48:53.050]  these, it
[48:53.050 --> 48:53.550]  doesn't tell
[48:53.550 --> 48:54.130]  us that
[48:54.130 --> 48:54.950]  28 or
[48:54.950 --> 48:55.790]  29 did
[48:55.790 --> 48:57.350]  these, but
[48:57.830 --> 48:58.210]  a bunch of
[48:58.210 --> 48:58.710]  people did
[48:58.710 --> 49:00.030]  them somewhere.
[49:00.470 --> 49:01.230]  So adding them
[49:01.230 --> 49:01.850]  into our
[49:01.850 --> 49:02.770]  profile may
[49:03.530 --> 49:04.510]  be still
[49:04.510 --> 49:05.270]  sticking to
[49:05.950 --> 49:06.510]  a realistic
[49:06.510 --> 49:08.230]  APT profile.
[49:08.610 --> 49:09.570]  And again,
[49:09.570 --> 49:10.170]  I wouldn't do
[49:10.170 --> 49:10.890]  this unless
[49:10.890 --> 49:11.950]  I wasn't able
[49:11.950 --> 49:12.450]  to get it
[49:12.450 --> 49:13.350]  directly from
[49:13.350 --> 49:13.750]  the threat
[49:13.750 --> 49:14.390]  intelligence on
[49:14.390 --> 49:15.430]  the actor.
[49:18.410 --> 49:18.950]  So we've
[49:18.950 --> 49:19.470]  filled in some
[49:19.470 --> 49:19.950]  gaps.
[49:19.950 --> 49:20.870]  We've got a lot
[49:20.870 --> 49:21.550]  of things colored
[49:21.550 --> 49:22.430]  in now.
[49:22.430 --> 49:23.210]  We've got our
[49:23.210 --> 49:24.550]  pretty picture.
[49:25.230 --> 49:25.850]  So what do
[49:25.850 --> 49:26.810]  we do with it?
[49:26.810 --> 49:27.430]  How do we
[49:27.430 --> 49:28.290]  actually turn
[49:28.290 --> 49:29.150]  this into
[49:29.730 --> 49:31.090]  more of a
[49:31.090 --> 49:32.210]  profile?
[49:32.210 --> 49:32.910]  So I talked
[49:33.030 --> 49:33.650]  about a couple
[49:33.650 --> 49:34.590]  gap techniques
[49:34.590 --> 49:35.490]  that I didn't
[49:35.490 --> 49:36.250]  use.
[49:36.250 --> 49:37.170]  So going back
[49:37.170 --> 49:38.470]  to my Turla
[49:38.470 --> 49:39.790]  profile that
[49:39.790 --> 49:41.370]  is Turla
[49:41.370 --> 49:41.930]  plus the
[49:41.930 --> 49:42.370]  software that
[49:42.370 --> 49:42.930]  appears to be
[49:42.930 --> 49:43.450]  unique to
[49:43.450 --> 49:44.410]  them plus
[49:44.410 --> 49:44.910]  filling in
[49:44.910 --> 49:45.490]  those
[49:45.490 --> 49:49.520]  dependencies.
[49:49.520 --> 49:49.780]  So I'm going
[49:49.780 --> 49:50.320]  to want to do
[49:50.320 --> 49:50.920]  something like
[49:50.920 --> 49:52.040]  this.
[49:52.040 --> 49:53.260]  So I've got
[49:53.260 --> 49:54.300]  my techniques,
[49:54.300 --> 49:55.800]  I've got my
[49:55.800 --> 49:56.400]  tactics, and
[49:56.400 --> 49:56.600]  I'm going to
[49:56.600 --> 49:57.100]  want to start
[49:57.100 --> 49:58.020]  to carve down
[49:58.020 --> 49:59.120]  to the techniques
[49:59.120 --> 49:59.520]  I want to
[49:59.520 --> 50:00.820]  actually use.
[50:00.920 --> 50:01.460]  And those
[50:01.460 --> 50:02.580]  techniques have
[50:02.820 --> 50:03.300]  a flow to
[50:03.300 --> 50:04.120]  them.
[50:04.120 --> 50:04.800]  So I've talked
[50:05.000 --> 50:05.340]  a teeny bit
[50:05.340 --> 50:06.140]  about dependencies
[50:06.140 --> 50:07.080]  like where one
[50:07.080 --> 50:07.620]  technique is
[50:07.620 --> 50:07.840]  going to
[50:07.840 --> 50:09.220]  require another.
[50:09.260 --> 50:09.980]  There are
[50:09.980 --> 50:11.200]  often spaces
[50:11.200 --> 50:11.900]  where one
[50:11.900 --> 50:12.640]  tactic is
[50:12.640 --> 50:13.160]  generally going
[50:13.160 --> 50:13.600]  to require
[50:13.600 --> 50:14.440]  another one
[50:14.440 --> 50:15.260]  too.
[50:15.820 --> 50:16.360]  Attack is
[50:16.360 --> 50:17.580]  not ordered.
[50:18.020 --> 50:19.100]  Obviously,
[50:19.100 --> 50:20.480]  yes, things
[50:20.480 --> 50:21.160]  off to the
[50:21.160 --> 50:21.560]  left in
[50:21.560 --> 50:22.280]  attack often
[50:22.280 --> 50:23.160]  happen before
[50:23.160 --> 50:23.840]  things to the
[50:23.840 --> 50:24.140]  right in
[50:24.140 --> 50:25.200]  attack, but
[50:25.200 --> 50:25.780]  there is no
[50:25.780 --> 50:26.480]  strict ordering
[50:26.480 --> 50:26.860]  to it.
[50:26.860 --> 50:27.740]  It is not a
[50:27.740 --> 50:29.320]  kill chain.
[50:29.320 --> 50:30.920]  And so
[50:30.920 --> 50:31.420]  tactics may
[50:31.420 --> 50:31.760]  happen in
[50:31.760 --> 50:32.100]  different
[50:32.100 --> 50:32.620]  orders, they
[50:32.620 --> 50:33.080]  may not
[50:33.080 --> 50:33.600]  appear at
[50:33.600 --> 50:33.920]  all in
[50:33.920 --> 50:34.420]  the
[50:34.420 --> 50:35.500]  intrusion,
[50:35.500 --> 50:35.820]  but we
[50:35.820 --> 50:36.540]  are going to
[50:36.540 --> 50:37.120]  want to
[50:37.120 --> 50:37.880]  force some
[50:37.880 --> 50:39.600]  ordering on
[50:39.600 --> 50:40.640]  them for
[50:40.640 --> 50:40.860]  operation so
[50:40.860 --> 50:41.000]  that we can
[50:41.000 --> 50:41.480]  actually build
[50:41.480 --> 50:42.660]  up a plan.
[50:43.180 --> 50:43.580]  So here what
[50:43.580 --> 50:45.240]  I've done is
[50:45.240 --> 50:45.840]  I've started
[50:45.840 --> 50:47.360]  with initial
[50:47.360 --> 50:48.340]  access, so
[50:48.340 --> 50:48.740]  I've got the
[50:48.740 --> 50:49.720]  adversary breaking
[50:49.720 --> 50:50.320]  into the
[50:50.320 --> 50:51.460]  environment.
[50:51.640 --> 50:52.020]  Followed by
[50:52.020 --> 50:53.200]  execution, so
[50:53.200 --> 50:54.040]  the code
[50:54.040 --> 50:54.760]  actually getting
[50:54.760 --> 50:55.840]  run, so
[50:55.840 --> 50:56.780]  that's also
[50:56.780 --> 50:57.440]  got the most
[50:57.440 --> 50:58.240]  file in here
[50:58.240 --> 50:59.060]  that I filled
[50:59.060 --> 50:59.760]  in using
[50:59.760 --> 51:00.960]  dependencies.
[51:01.480 --> 51:02.680]  From execution,
[51:02.680 --> 51:02.980]  they are going
[51:02.980 --> 51:03.440]  to be doing
[51:03.440 --> 51:04.700]  both discovery
[51:04.700 --> 51:05.420]  and privilege
[51:05.420 --> 51:07.340]  escalation, so
[51:07.340 --> 51:07.880]  I'm going to
[51:07.880 --> 51:08.760]  be able to do a
[51:08.760 --> 51:09.360]  lot of my
[51:09.360 --> 51:10.180]  discovery without
[51:10.750 --> 51:11.520]  needing extra
[51:11.520 --> 51:12.280]  privileges.
[51:12.280 --> 51:12.960]  At the same time,
[51:12.960 --> 51:13.860]  I'm going to be
[51:13.860 --> 51:14.220]  building up so
[51:14.220 --> 51:15.640]  that I can do
[51:15.640 --> 51:16.040]  my
[51:16.040 --> 51:17.200]  defensivation
[51:17.200 --> 51:18.980]  credential access
[51:18.980 --> 51:20.180]  and persistence.
[51:20.690 --> 51:20.960]  Some of
[51:20.960 --> 51:22.920]  Turla's
[51:22.920 --> 51:24.200]  defensivation
[51:24.200 --> 51:24.420]  does require
[51:24.420 --> 51:24.560]  privilege
[51:24.560 --> 51:25.840]  escalation, so
[51:25.840 --> 51:26.860]  they do things
[51:26.860 --> 51:27.760]  like hidden
[51:27.760 --> 51:29.680]  file systems,
[51:31.580 --> 51:32.100]  which is a
[51:32.100 --> 51:32.300]  fairly unusual
[51:32.300 --> 51:32.420]  technique.
[51:32.420 --> 51:33.280]  And then,
[51:33.280 --> 51:33.940]  you know, so
[51:34.880 --> 51:35.880]  from my
[51:35.880 --> 51:36.880]  credential access,
[51:33.940 --> 51:34.600]  I'll then be able
[51:34.600 --> 51:35.100]  to do lateral
[51:35.100 --> 51:36.080]  movement.
[51:36.160 --> 51:36.680]  I've got my
[51:36.680 --> 51:37.320]  OS credential
[51:37.320 --> 51:37.900]  dumping, which
[51:37.900 --> 51:38.760]  lets me do my
[51:38.760 --> 51:39.520]  Samba, Windows
[51:39.520 --> 51:40.160]  administrative
[51:40.160 --> 51:41.860]  shares, and
[51:41.860 --> 51:42.440]  the arrow is
[51:42.440 --> 51:43.200]  supposed to
[51:43.200 --> 51:43.760]  loop around
[51:43.760 --> 51:44.440]  from one side
[51:44.440 --> 51:44.940]  to the other,
[51:44.940 --> 51:45.300]  back to
[51:45.300 --> 51:46.480]  execution, and
[51:46.480 --> 51:47.060]  start it all
[51:47.060 --> 51:48.140]  over again.
[51:50.400 --> 51:51.500]  So, in
[51:51.500 --> 51:52.080]  order to
[51:52.080 --> 51:52.820]  bring this
[51:52.820 --> 51:53.700]  even closer
[51:53.700 --> 51:54.860]  to something
[51:54.860 --> 51:55.560]  I can operate
[51:55.560 --> 51:56.600]  with, the
[51:56.600 --> 51:58.120]  final organizational
[51:58.120 --> 51:58.740]  step I'm going
[51:58.740 --> 51:59.200]  to do is
[51:59.200 --> 51:59.980]  organized technique
[51:59.980 --> 52:00.900]  flow into
[52:00.900 --> 52:02.340]  plan phases.
[52:03.140 --> 52:03.900]  So, everything I've
[52:03.900 --> 52:04.600]  talked about here
[52:04.600 --> 52:05.200]  is started at
[52:05.200 --> 52:06.320]  initial access.
[52:06.320 --> 52:06.760]  And so, that's
[52:06.760 --> 52:08.580]  using what's in
[52:08.580 --> 52:09.600]  enterprise attack
[52:09.600 --> 52:10.500]  today.
[52:10.740 --> 52:11.460]  But obviously,
[52:11.460 --> 52:11.940]  there are some
[52:11.940 --> 52:12.640]  steps that an
[52:12.640 --> 52:13.500]  adversary, as
[52:13.500 --> 52:14.640]  well as an
[52:14.640 --> 52:16.240]  adversary emulator,
[52:16.240 --> 52:16.700]  is going to need
[52:16.700 --> 52:17.420]  to do before
[52:17.420 --> 52:18.160]  they get into
[52:18.160 --> 52:19.460]  the environment.
[52:19.500 --> 52:19.980]  So, that's
[52:19.980 --> 52:20.480]  this phase
[52:20.480 --> 52:21.340]  one.
[52:21.980 --> 52:22.500]  And so, you
[52:22.500 --> 52:23.200]  might not be
[52:23.200 --> 52:23.760]  familiar with
[52:23.760 --> 52:24.660]  the tactics,
[52:24.660 --> 52:25.360]  reconnaissance,
[52:25.360 --> 52:25.820]  and resource
[52:25.820 --> 52:26.880]  development.
[52:27.020 --> 52:27.720]  And that's because
[52:27.720 --> 52:28.320]  they won't be
[52:28.320 --> 52:28.840]  in attack for
[52:28.840 --> 52:29.360]  another few
[52:29.360 --> 52:29.900]  months.
[52:29.900 --> 52:30.360]  But stay
[52:30.360 --> 52:31.220]  tuned.
[52:31.420 --> 52:32.200]  We actually
[52:32.200 --> 52:33.140]  are extending
[52:33.140 --> 52:34.260]  attack to
[52:34.260 --> 52:34.800]  match the
[52:34.800 --> 52:35.540]  scope of
[52:35.540 --> 52:37.080]  the cyber kill
[52:37.080 --> 52:37.420]  chain and
[52:37.420 --> 52:38.060]  activities that
[52:38.060 --> 52:38.780]  come before
[52:38.780 --> 52:39.300]  you break
[52:39.300 --> 52:39.740]  into an
[52:39.740 --> 52:40.780]  environment.
[52:41.680 --> 52:42.940]  Phase two,
[52:42.940 --> 52:43.540]  I've got the
[52:43.540 --> 52:43.820]  adversary
[52:43.820 --> 52:44.760]  operating,
[52:44.760 --> 52:45.200]  setting down
[52:45.200 --> 52:45.420]  their
[52:45.420 --> 52:53.660]  footprint,
[52:53.660 --> 52:54.380]  while I've got
[52:54.380 --> 52:55.060]  this particular
[52:55.620 --> 52:56.900]  adversary doing
[52:56.900 --> 52:57.520]  their collection
[52:57.520 --> 52:58.320]  and exfiltration
[52:58.320 --> 52:59.520]  at the end.
[52:59.520 --> 53:00.300]  So, they've got
[53:00.300 --> 53:01.040]  the footprint and
[53:01.040 --> 53:01.580]  then they steal
[53:01.580 --> 53:02.780]  the information.
[53:03.440 --> 53:04.060]  And so, I'm
[53:04.060 --> 53:04.680]  putting these in
[53:04.680 --> 53:05.520]  order so that we
[53:05.520 --> 53:06.180]  can use them for
[53:06.180 --> 53:07.140]  operations.
[53:07.140 --> 53:07.960]  This isn't going
[53:07.960 --> 53:08.680]  to be perfect,
[53:08.680 --> 53:09.120]  but a lot of
[53:09.120 --> 53:09.680]  these techniques
[53:09.680 --> 53:10.260]  and tactics
[53:10.260 --> 53:11.500]  have required
[53:11.500 --> 53:12.460]  ordering to
[53:12.460 --> 53:13.180]  them.
[53:15.710 --> 53:16.190]  So, the
[53:16.190 --> 53:17.170]  pieces I'm not
[53:17.170 --> 53:17.670]  really going to
[53:17.670 --> 53:18.510]  cover today,
[53:18.510 --> 53:19.710]  but just a
[53:19.710 --> 53:20.210]  few thoughts
[53:20.210 --> 53:21.350]  on making sure
[53:21.350 --> 53:22.030]  that we're applying
[53:22.030 --> 53:22.950]  Intel as we go
[53:22.950 --> 53:23.630]  through the entire
[53:24.110 --> 53:24.710]  process.
[53:24.750 --> 53:25.490]  So, we're going to
[53:25.490 --> 53:25.990]  want to develop
[53:25.990 --> 53:27.010]  tools to be able
[53:27.010 --> 53:28.250]  to do this.
[53:28.810 --> 53:29.390]  You know, want to
[53:29.390 --> 53:30.370]  be able to think,
[53:30.370 --> 53:31.370]  can we do this
[53:31.370 --> 53:32.250]  with COTS free
[53:32.250 --> 53:33.330]  open source?
[53:33.330 --> 53:34.470]  Are those reasonable
[53:34.470 --> 53:35.050]  for the given
[53:35.050 --> 53:35.970]  actor?
[53:36.290 --> 53:36.770]  So, in some
[53:36.770 --> 53:37.410]  cases, we may
[53:37.410 --> 53:37.830]  have an actor
[53:37.830 --> 53:38.650]  who's using
[53:38.650 --> 53:39.370]  Empire or
[53:39.370 --> 53:40.050]  Cobalt.
[53:40.050 --> 53:41.050]  So, the
[53:41.050 --> 53:42.070]  answer to
[53:42.070 --> 53:42.650]  that is fairly
[53:42.650 --> 53:43.470]  obvious.
[53:43.530 --> 53:44.330]  If we have an
[53:44.330 --> 53:44.890]  actor that's
[53:44.890 --> 53:45.550]  doing nothing
[53:45.550 --> 53:46.450]  but bespoke
[53:46.450 --> 53:47.410]  tool development
[53:47.410 --> 53:48.770]  and using techniques
[53:48.770 --> 53:49.350]  that aren't really
[53:49.350 --> 53:51.290]  supported by much
[53:51.290 --> 53:51.930]  that's out there in
[53:51.930 --> 53:52.890]  public, we may need
[53:52.890 --> 53:53.690]  to do some custom
[53:53.690 --> 53:54.950]  work.
[53:55.010 --> 53:56.530]  But, regardless,
[53:56.530 --> 53:57.190]  trying to keep
[53:57.190 --> 53:58.290]  those payloads
[53:58.290 --> 53:59.610]  inspired by the
[53:59.610 --> 54:00.630]  APT.
[54:00.990 --> 54:01.350]  So, you're
[54:01.350 --> 54:02.030]  looking at how
[54:02.030 --> 54:03.030]  they're packing
[54:03.030 --> 54:03.670]  and everything
[54:03.670 --> 54:05.030]  else, trying to
[54:05.030 --> 54:05.610]  stick to that
[54:05.610 --> 54:06.630]  intelligence.
[54:07.030 --> 54:07.870]  And finally, as
[54:07.870 --> 54:08.250]  you actually
[54:08.250 --> 54:09.770]  operate,
[54:09.770 --> 54:10.450]  obviously, you're
[54:10.450 --> 54:10.750]  going to have to
[54:10.750 --> 54:11.270]  set up all the
[54:11.270 --> 54:12.190]  infrastructure, test
[54:12.190 --> 54:12.850]  it out and get it
[54:12.850 --> 54:13.730]  going.
[54:13.770 --> 54:14.430]  But once you're
[54:14.430 --> 54:15.410]  emulating the
[54:15.410 --> 54:17.030]  adversary, try to
[54:17.030 --> 54:17.510]  think about the
[54:17.510 --> 54:18.410]  modus operandi
[54:18.410 --> 54:18.990]  that we thought
[54:18.990 --> 54:19.990]  about earlier.
[54:20.110 --> 54:21.050]  Adversary is trying
[54:21.050 --> 54:21.970]  to steal targeted
[54:21.970 --> 54:23.350]  information.
[54:23.510 --> 54:24.770]  The goal is not
[54:24.770 --> 54:26.630]  to get into
[54:27.310 --> 54:28.130]  the domain
[54:28.130 --> 54:29.130]  controller.
[54:29.210 --> 54:30.190]  I saw somebody
[54:30.190 --> 54:30.990]  on Discord
[54:30.990 --> 54:31.710]  that I said
[54:31.710 --> 54:32.150]  hacked the
[54:32.150 --> 54:32.950]  Gibson.
[54:34.210 --> 54:34.930]  Think about your
[54:34.930 --> 54:35.510]  goal throughout
[54:35.510 --> 54:36.310]  this and where
[54:36.310 --> 54:36.770]  is it you're
[54:36.770 --> 54:37.230]  actually trying
[54:37.230 --> 54:38.350]  to get to.
[54:38.510 --> 54:38.890]  And then think
[54:38.890 --> 54:39.990]  about pacing.
[54:39.990 --> 54:41.690]  How is it that
[54:41.690 --> 54:42.590]  the adversary
[54:42.590 --> 54:43.630]  actually operates?
[54:43.630 --> 54:44.210]  Are they somebody
[54:44.210 --> 54:45.710]  that is slow
[54:45.710 --> 54:47.390]  and methodical
[54:47.390 --> 54:47.790]  in how they're
[54:47.790 --> 54:48.390]  spreading out?
[54:48.390 --> 54:49.390]  Are they doing a
[54:49.390 --> 54:53.030]  smash and grab?
[54:53.030 --> 54:53.570]  Think about that
[54:53.570 --> 54:54.490]  as much as
[54:54.490 --> 54:56.570]  possible.
[54:56.570 --> 54:57.750]  In closing,
[54:57.750 --> 54:58.350]  some of the
[54:58.350 --> 54:58.910]  things I hope
[54:58.910 --> 54:59.470]  to take away
[54:59.470 --> 55:00.790]  from this is
[55:00.790 --> 55:01.210]  pick your
[55:01.210 --> 55:02.190]  adversary wisely.
[55:02.190 --> 55:02.890]  There are a lot of
[55:02.890 --> 55:03.550]  things you can
[55:03.550 --> 55:04.430]  think about to
[55:04.750 --> 55:05.890]  leverage Intel
[55:05.890 --> 55:06.550]  in the selection
[55:06.550 --> 55:07.270]  of an adversary
[55:07.270 --> 55:07.630]  in the first
[55:07.630 --> 55:08.550]  place.
[55:08.630 --> 55:09.330]  The Intel
[55:09.330 --> 55:09.910]  in your adversary
[55:09.910 --> 55:10.570]  isn't going to be
[55:10.570 --> 55:11.150]  perfect.
[55:11.150 --> 55:11.790]  It doesn't matter
[55:11.790 --> 55:12.210]  if you're getting
[55:12.210 --> 55:13.130]  it from attack,
[55:13.130 --> 55:14.270]  original sources,
[55:14.270 --> 55:15.170]  or wherever.
[55:15.470 --> 55:17.170]  But it is not
[55:17.170 --> 55:17.610]  going to be
[55:17.610 --> 55:18.570]  perfect.
[55:18.710 --> 55:19.230]  But you can
[55:19.230 --> 55:20.150]  still emulate
[55:20.150 --> 55:20.790]  an adversary
[55:20.790 --> 55:22.230]  with imperfect
[55:22.230 --> 55:23.110]  Intel.
[55:23.110 --> 55:23.630]  So this is
[55:23.630 --> 55:24.310]  something you
[55:24.310 --> 55:25.050]  can pull off
[55:25.050 --> 55:26.410]  even though
[55:26.410 --> 55:27.290]  you're not
[55:27.290 --> 55:27.650]  going to know
[55:27.650 --> 55:27.990]  absolutely
[55:27.990 --> 55:28.370]  everything
[55:28.370 --> 55:28.810]  about an
[55:28.810 --> 55:29.730]  adversary.
[55:31.730 --> 55:32.470]  I'll post
[55:32.470 --> 55:33.590]  my slides, but
[55:33.590 --> 55:34.570]  some of the links
[55:34.570 --> 55:35.730]  to resources I
[55:35.730 --> 55:36.410]  used in here
[55:36.410 --> 55:36.990]  between
[55:36.990 --> 55:38.030]  ATT&CK
[55:38.030 --> 55:38.990]  Navigator and
[55:38.990 --> 55:39.390]  ATT&CK
[55:39.390 --> 55:40.490]  itself.
[55:40.490 --> 55:41.410]  We've put out
[55:41.690 --> 55:42.070]  a couple of
[55:42.070 --> 55:43.090]  emulation plans
[55:43.090 --> 55:44.030]  where we've used
[55:44.150 --> 55:44.430]  a lot of this
[55:44.430 --> 55:45.510]  process and how
[55:45.510 --> 55:46.050]  we've actually
[55:46.050 --> 55:47.370]  done it.
[55:47.610 --> 55:48.790]  And we've got
[55:48.790 --> 55:49.630]  our own
[55:49.630 --> 55:50.690]  Red Team
[55:50.690 --> 55:51.930]  automated
[55:51.930 --> 55:52.970]  tool, Caldera,
[55:52.970 --> 55:53.270]  that we've
[55:53.270 --> 55:54.670]  actually ported
[55:54.670 --> 55:55.950]  the APT29
[55:55.950 --> 55:56.970]  emulation plan
[55:56.970 --> 55:58.170]  over to.
[55:59.950 --> 56:01.270]  And I'm
[56:01.270 --> 56:01.870]  reachable
[56:01.870 --> 56:02.270]  in a couple
[56:02.270 --> 56:03.030]  different venues
[56:03.030 --> 56:04.090]  via ATT&CK,
[56:04.090 --> 56:04.850]  via Twitter,
[56:04.850 --> 56:05.770]  whatever.
[56:06.950 --> 56:07.490]  And that's it
[56:07.490 --> 56:08.490]  for me.
[56:08.690 --> 56:09.610]  And so I'm
[56:09.610 --> 56:10.090]  going to be
[56:10.090 --> 56:10.890]  answering questions
[56:10.890 --> 56:11.490]  in Discord
[56:11.490 --> 56:13.190]  after this,
[56:13.190 --> 56:14.150]  but a couple I
[56:14.150 --> 56:14.670]  did catch
[56:14.670 --> 56:15.830]  scroll by that
[56:15.830 --> 56:16.730]  I'll take on
[56:16.730 --> 56:17.610]  now.
[56:17.610 --> 56:18.390]  So I saw
[56:18.390 --> 56:20.090]  somebody saying,
[56:20.090 --> 56:20.830]  am I talking
[56:20.830 --> 56:21.270]  about the
[56:21.270 --> 56:21.730]  pre-ATT&CK
[56:21.730 --> 56:22.710]  stuff?
[56:22.830 --> 56:23.830]  Yes.
[56:23.830 --> 56:24.770]  So we're
[56:24.770 --> 56:25.630]  undergoing a
[56:25.630 --> 56:26.330]  merger right
[56:26.330 --> 56:27.410]  now of the
[56:27.410 --> 56:27.690]  information that's
[56:27.690 --> 56:28.670]  in pre-ATT&CK.
[56:28.670 --> 56:29.990]  We are refactoring
[56:29.990 --> 56:31.170]  it down to
[56:31.790 --> 56:32.390]  just
[56:33.230 --> 56:33.830]  information
[56:33.830 --> 56:34.290]  that is
[56:34.290 --> 56:35.490]  technical,
[56:35.490 --> 56:36.190]  things that
[56:36.190 --> 56:36.970]  some defenders
[56:36.970 --> 56:37.690]  somewhere can
[56:37.690 --> 56:38.430]  see.
[56:38.430 --> 56:39.570]  So some of the
[56:39.570 --> 56:40.810]  intelligence planning
[56:40.810 --> 56:41.450]  steps are going
[56:41.450 --> 56:41.830]  to be going
[56:41.830 --> 56:42.670]  away.
[56:42.670 --> 56:43.410]  And we're
[56:43.410 --> 56:44.170]  refactoring that
[56:44.170 --> 56:44.930]  into two new
[56:44.930 --> 56:45.970]  tactics,
[56:45.970 --> 56:46.470]  reconnaissance
[56:46.470 --> 56:47.030]  and resource
[56:47.030 --> 56:48.130]  development.
[56:48.130 --> 56:48.410]  So that's
[56:48.410 --> 56:48.850]  something you
[56:48.850 --> 56:49.250]  can expect
[56:49.250 --> 56:50.190]  to see in
[56:50.190 --> 56:50.790]  the next
[56:50.790 --> 56:51.350]  release of
[56:51.350 --> 56:52.230]  pre-ATT&CK.
[56:52.930 --> 56:53.670]  And with
[56:53.670 --> 56:54.490]  that, I
[56:55.210 --> 56:55.710]  will be
[56:55.710 --> 56:55.930]  answering
[56:55.930 --> 56:56.510]  questions in
[56:56.510 --> 56:57.010]  Discord.
[56:57.010 --> 56:57.670]  And thank you
[56:57.670 --> 56:58.210]  for attending
[56:58.210 --> 56:58.890]  my talk.
[56:59.250 --> 57:00.070]  Thank you so
[57:00.070 --> 57:00.790]  much, Adam.
[57:00.810 --> 57:01.630]  And thank you
[57:01.630 --> 57:02.270]  for supporting
[57:02.270 --> 57:03.150]  not only
[57:03.150 --> 57:04.170]  the community
[57:04.170 --> 57:04.750]  and the
[57:04.750 --> 57:05.490]  DEF CON,
[57:05.490 --> 57:05.730]  but the
[57:05.730 --> 57:05.990]  Red Team
[57:05.990 --> 57:06.390]  Village as
[57:06.390 --> 57:06.610]  well.
[57:06.610 --> 57:07.730]  Amazing talk.
[57:08.030 --> 57:08.610]  And for
[57:08.610 --> 57:09.090]  those of you
[57:09.090 --> 57:09.530]  that are
[57:09.530 --> 57:10.010]  watching
[57:10.010 --> 57:11.190]  in Twitch,
[57:11.190 --> 57:14.430]  YouTube,
[57:14.430 --> 57:15.430]  that's where
[57:15.430 --> 57:16.150]  you can get
[57:16.150 --> 57:16.610]  access to
[57:16.610 --> 57:17.010]  the Discord
[57:17.010 --> 57:18.310]  server that
[57:18.310 --> 57:18.730]  Adam was
[57:18.730 --> 57:19.610]  mentioning.
[57:20.210 --> 57:20.810]  We're going to
[57:20.810 --> 57:21.410]  go on a
[57:21.410 --> 57:22.250]  brief break
[57:22.250 --> 57:22.650]  and the
[57:22.650 --> 57:23.510]  next presentation
[57:23.510 --> 57:23.870]  will start
[57:23.870 --> 57:24.010]  in just a
